Endpoint Protection Small Business Edition

Hello all

We have client running on SEPM 12.1.3 Small Business edition and SEP 12.1.1 Small Business Edition

One of the client is repeatdly getting alerts /pop ups from SEP about a blocked port scan and upon further inspection found that this port scan is coming from a local IP assigned to a HP printer

All firewall settings on SEP is disbled by SEPM policy.

Do let us know how we can add an exception so that attempts from the HP printer which are getting registered as  as port scans will be ignored.

Thanks

Dhanushka 

Does the printer have a setting configured which causes it to scan? I've seen this for some printers.

This is due to the IPS policy, you can set it as an excluded host per here:

http://www.symantec.com/docs/HOWTO81159

However, if you're running SBE, I can't quite recall if this feature is available but you can verify following the link I posted.

please post the image of the the message.

Hello Brian and Pete

Many thanks for your posts

Brian, unfortunatly such option is not available under intrusion prevention on SEPM SBE  edition.Please refer the attachment "Intrusion Prevention settings" for the available options.

Pete , have attached a screenshot (Port scan-screenshot) of the pop up message.

Regards

Dhanushka

Hello,

As this is SEP SBE version, there are limited features available.

Could you try installing the latest SEP version?

Latest SEP client version is SEP 12.1 RU3 (12.1.3001.165)

Hope that helps!!

Hi Mithun

Unfortunately even 12.1.3 does not have such options.

Dhanushka

That was my worry that it was not available in SBE.

Does this means that there is no option to add an exception to SEP intrusion prevention / firewall ?

Dhanushka

You could turn of the option to block the attacker. It will just be logged instead of actually being blocked.

Based on what I see on SBE editions its only possible to disable port scans completly.

But this option is locked on SEP.How can we unlock this option?

Also is it possible to disable only the port scan notifications?

Dhanushka

Go into the Firewall policy >> Protection and Stealth tab and uncheck Automatically block an attacker's IP address.

To disable the notification, check this:

How to Disable Client Intrusion Prevention Notifications in Symantec Endpoint Protection Manager (SEPM)

http://www.symantec.com/docs/TECH105013

Hi Brian

Unfortunately there is no such option on SBE 

Dhanushka

Do you have the firewall policy withdrawn completely from the client?

Havent done any changes to the client.Its still in the same group with all the policies applied like before.

If you're not using the firewall policy than you can withdraw it completely

http://www.symantec.com/docs/HOWTO80907

Should be corrected as SBE

Again , there is no withdraw option on SBB :(

Hello,

That's what I meant, in SEP SBE version there are limited features available.

In other words, this feature of creating exceptions OR removing the notification is not available.

In your case, you could simply disable the Intrusion Prevention policy from the SEPM SBE 12.1

OR

Deploy the package on the client machine without IPS feature.

Hope that helps!!

can you create  a new policy for firewall and IPS and check if it gets suppressed.

Have created a new group/firewall policy and addedd the MAC address of the printer and allowed all connections from that MAC address.

Added the client is question to the group.

Will monitor for a couple of days and get back with an update.

Dhanushka

Sorry for the delay but had to attend to few other urgent issues.Will give an update as soon as possible

Dhanushka

Hello all

Got the feedback from the cleint today and the popup is no more!!!!

Thanks all for your time and support on this issue.

Regards

Dhanushka