Endpoint Protection

We have Sygate 5.1 deployed to our organization and have run into a problem that we cannot find a way around. 

 

Our network team uses a program called Ping Plotter to send larger than normal packets to remote hosts (1300 bytes or so) and Sygate keeps knocking this down as a "Ping of Death."

 

Here is the exact text Sygate puts in the description  (this is getting logged in the Agent Security Log):  Denial of Service "Ping of Death" attack detected. Description: In a Ping of Death attack, the hacker uses a packet with a size that is larger than the normal standard. When your system encounters a packet of this size, it often crashes, hangs, or reboot

 

My problem is trying to find the rule or policy that is blocking this behavior.  This particular behavior is default in Sygate.

 

Does anybody have a clue as to where this rule is and if I can either modify it or create another rule to allow large packet sizes from Ping Plotter?

 

Thanks

Scott

It is likely Intrusion Detection rules are blocking it. To test this, put an agent into a test group and disable all IDS functionality, see if the issue can be reproduced. If it no longer happens, see if you can determine the exact rule that is triggering and disable it.

Ok.  Figured it out.  In our "internal" firewall policy, the "Enable Denial of Service Checking" checkbox was selected on the Intrusion Prevention tab.  Unchecking that and leaving the IPS DOS attack rules in place have stopped PingPlotter from being blocked and still leaves us protected from DOS attacks.