Endpoint Protection

 View Only

  • 1.  SEP default IPS policy says it blocks IRC, but it doesn't

    Posted Oct 04, 2013 08:31 AM

    In my environment I occasionally see this alert:

     

    [SID: 55000] IRC Identification Signature attack detected but not blocked. Application path: \DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE

     

    If I look at the IPS signatures, the defalt action for SIG 55000 is "Block". What gives?  I would prefer that SEP automatically block this but it appears to already be set as such.

     

    Thanks in advance..

     



  • 2.  RE: SEP default IPS policy says it blocks IRC, but it doesn't

    Posted Oct 04, 2013 08:39 AM

    Try setting the signature to block, see here on how to

    https://www-secure.symantec.com/connect/articles/how-exclude-individual-ips-signatures-ips-policy



  • 3.  RE: SEP default IPS policy says it blocks IRC, but it doesn't

    Posted Oct 09, 2013 02:21 PM

    Audit signatures can be manually set to Block based on preference.



  • 4.  RE: SEP default IPS policy says it blocks IRC, but it doesn't

    Posted Oct 09, 2013 02:26 PM

    Thank you both, I've gone ahead and create a separate setting to block-- I just don't understand why this was necessary because the built-in behavior (of this signature on the SEPM console) says "Block".