Endpoint Protection

Good Morning,

We are in the process of rolling out Yosemite to our campus, and I noticed an odd error when running Casper's Recon Utility.  When I click the enroll button after entering the machine information, I get an error from Recon stating "A Connection Error Occured.  Couldn't connect computer via SSH".  In addition, I am seeing a notification from SEP stating "Brute Force remote login".  Application: /usr/sbin/sshd

Has anyone else seen this behavior and how do I fix this on the Mac Client?  We didn't have this issue with 12.1.4.  

Joe

The SEP client may be blocking it. Have you tried excluding that host from SEP IPS scans?

Managing intrusion prevention on your client computers

Hi uwwjoe,

Casper Suite has a reputation of being a very useful set of tools.  It can help install SEP for Mac, for instance.

Exporting and Deploying a Symantec Endpoint Protection Macintosh client via Apple Remote Desktop or Casper
 http://www.symantec.com/docs/HOWTO92266

I have not seen that Recon Utility, but I suspect that it is pereforming actions that triggers SEP's defenses.  This also occurs with other automated tools that scan the clients and attempt to enumerate their open ports, etc etc.  It is correct that SEP should respond in this way to such scans. The following article has more information:

Symantec Endpoint Protection for Macintosh: IPS Overview and Troubleshooting
http://www.symantec.com/docs/TECH212382

Please do update this thread with news if this has been helpful!

With thanks and best regards,

Mick

Hello again uwwjoe,

This article may be of interest:

Some SEP Macintosh IPS detections occur despite host exceptions and there are no exception signatures for the detected IDs
http://www.symantec.com/docs/TECH227991

Many thanks!

Mick