DoS was working as designed in RU5. I got that straight from support and development. I've had two cases open for over a month, they were just closed due to "working as designed".
Cass was helping me - cases 320-239-573 and 411-752-839
What was happening - servers were reporting DoS attacks from our own computers, more specifically, this was happening constantly with DCs.
I had the "block traffic for xxxx" TURNED OFF. Found out that SEP STILL blocks ALL pings of all sorts from all sources for several seconds REGARDLESS of if that's enabled or not. It was enabled and folks couldn't even get logged in and policies would not apply, etc. - because XP machines PING the DCs several times, and if they can't ping, you have trouble. 10 minutes was a huge amount of time, so I decided to uncheck that and have it not block at all.
That's when I learned that it will block regardless of that setting, for roughly 15 seconds or so. When it sees a DoS it blocks ALL pings, period. I could prove it by setting up two computers with a ping -t dcaddress and monitor. Every so often, the pings would drop for like 5 or 6 tries. When I checked in wireshark, there was a large number of FRAGMENTED packets and pings coming through in like 1 second. Most from a single computer, but when that combined with similar pings from other computers within that 1 seconds, SEP reacted blocking traffic for several "pings" and I saw the pings drop from both of my test computers.
So the solution - move the DCs into a sub-group and disable DoS detection. I still run full IPS, but uncheck DoS detections.
We've been ok since that time.
Symantec if you need to post info from the above cases, feel free to do so, just remove names if you would.
Otherwise if my case info is helpful to anyone, feel free to share it.
LOL - as a government agency, even my salary is public record ;-)
15 detections in 1 second, any source - it blocks for several seconds - EVEN WITH that 10 minute block feature NOT checked. Check how XP uses pings to check domain speeds, gets policies, etc. and you'll see what I went through.
BTW - Cass is a super tech to work with!!!!!!!! He was always helpful, patient, and did everything he could to get me information.