Video Screencast Help

SEP default IPS policy says it blocks IRC, but it doesn't

Created: 04 Oct 2013 | 3 comments

In my environment I occasionally see this alert:

[SID: 55000] IRC Identification Signature attack detected but not blocked. Application path: \DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE

If I look at the IPS signatures, the defalt action for SIG 55000 is "Block". What gives?  I would prefer that SEP automatically block this but it appears to already be set as such.

Thanks in advance..

Operating Systems:

Comments 3 CommentsJump to latest comment

Brɨan's picture

Try setting the signature to block, see here on how to

https://www-secure.symantec.com/connect/articles/h...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

abhinav_singh's picture

Audit signatures can be manually set to Block based on preference.

Bill_K's picture

Thank you both, I've gone ahead and create a separate setting to block-- I just don't understand why this was necessary because the built-in behavior (of this signature on the SEPM console) says "Block".