Video Screencast Help

SEP default IPS policy says it blocks IRC, but it doesn't

Created: 04 Oct 2013 | 3 comments

In my environment I occasionally see this alert:

[SID: 55000] IRC Identification Signature attack detected but not blocked. Application path: \DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE

If I look at the IPS signatures, the defalt action for SIG 55000 is "Block". What gives?  I would prefer that SEP automatically block this but it appears to already be set as such.

Thanks in advance..

Operating Systems:

Comments 3 CommentsJump to latest comment

Brɨan's picture

Try setting the signature to block, see here on how to

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

abhinav_singh's picture

Audit signatures can be manually set to Block based on preference.

Bill_K's picture

Thank you both, I've gone ahead and create a separate setting to block-- I just don't understand why this was necessary because the built-in behavior (of this signature on the SEPM console) says "Block".