SEP 12 RU1 MP1 IPS blocks application and dont log
Created: 06 Nov 2012 | Updated: 06 Nov 2012 | 9 comments
Hi all,
I have a strange behavior. On a server i have an application that I can connect via browser even localhost for testing purpose.
When the IPS is installed and a basic IPS Policy is available the application does not work and dont show anything on the browser end. In the logs there is no entry at all.
After I whitedrawed the IPS policy the application works.
Does anyone has a clue about this and especially why there is nothing in the logfile client and SEPM side?
Thanks
toby
Discussion Filed Under:
Comments 9 Comments • Jump to latest comment
Nothing in security log showing?
SEP Knowledge Base
Endpoint SWAT
Hi,
Could you please provide application details? i.e. Application name, inhouse developed or any other developer etc.
Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.&
Nothing in any relevant log...
the software is hp discovery (ddmi)
------------------------------------------------------------------
Best regards!
toby
CISSP / MCP
To see all IPS action logs, you need to add all IPS signature to IPS exceptions (in the IPS policy), and change any settings from "not log" to "log". You will be able to see all of them now.
But this would mean its all disabled then, right?
I thought that in case of an detection I always be able to see what it was, what would be necessary in my case to have an exclusion for the application to be able to run and this is what is missing to have the one detection displayed to exclude and leave the IPS running for the rest.
------------------------------------------------------------------
Best regards!
toby
CISSP / MCP
Anything you add in the list, you have he chance to change it default action. Some IPS signatures have "not log" and you can change it to "log" instead. Once you have this IPS action detected and logged, you can exclude it.
Hi,
Could you please run SST on affected computer.
Apply the IPS policy and after that gather the logs.
Here is the location of the Symantec Endpoint Protection Support Tool:
http://www.symantec.com/business/support/index?pag...
Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.&
We experience similar issues in a test environment.
it seems with SEP12 RU2 the IPS Policy is better and now everything that is blocked is also logged. In addition events that are not logged are not blocked, but can be enabled via the exclution to either allow or block and log.
So great help in terms of log correlation.
cheers, toby
------------------------------------------------------------------
Best regards!
toby
CISSP / MCP
Would you like to reply?
Login or Register to post your comment.