Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Website blocking via custom IPS signatures (new)

Created: 25 Feb 2011 • Updated: 18 Mar 2011 | 3 comments
This issue has been solved. See solution.

I have read the following forum discussion https://www-secure.symantec.com/connect/forums/web... and have decieded to open new one because I couldn't continue the discussion.

My problem is that the created custom IPS signatures in my SEPM don't work constantly.

I have created similar signatures but they work after signing on the groups and updating the policy on PCs only.

Not long after the clients can open websites which were blocked by IPS.

What direction should I move in order to determine the problem?

Thanks in advance for help.

Comments 3 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

As I understood the custom created IPS signatures in your SEPM don't work constantly (that means they work sometimes and sometimes they don't work)

You have created similar signatures but they work after signing on the groups and updating the policy on PC's directly.

So, there are few things here I understand that coudl be the reason.

1) Policies are not reaching the Symantec Endpoint Protection clients and updating the same.

This could happen when transfer of Policies for the IPS are being blocked.

Check if, The SEPM homepage shows if the IPS Definition Distribution was done correctly across all clients.

Also, Check the Windows Firewall on the client machines. Turn them off for timebeing and check.

 

2) If the Policies are reaching correctly, that means users are able to change the Settings on the Symantec Endpoint Protection Client.

Follow the KB article provided below to block a user's ability to disable Symantec Endpoint Protection on Clients

http://www.symantec.com/business/support/index?page=content&id=TECH102822&actp=search&viewlocale=en_US&searchid=1298633445214

 

Hope that works for you!!! 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
Boris Desonov's picture

Hello Mithun,

Thanks for reply. You understood correctly!

Neither policy distribution, nor user rights are the cause of existing problem.

Firstly, the updated policy was distributed successfully (please look attached file). Also Windows Firewall is being disabled during the installation of SEP on the PCs (automatically or manually if required).

Secondly, the users don't have admin rights at all that's why they aren't able to disable SEP.

Would there be any additional settings which can influence on this situation?

IPS_distribution.png
Mithun Sanghavi's picture

Hello,

Not anything that I think of ; as the IPS Signature will Either Allow or Either BLOCK.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.