Video Screencast Help

Remove outdated IPS signatures - still showing as warnings

Created: 22 Aug 2014 | 10 comments
ThaveshinP's picture
0 Agree
0 Disagree
0 0 Votes
Login to vote

https://www-secure.symantec.com/connect/forums/cli...

Please can Symantec look into removing outdated IPS signatures. Symantec remove the outdated IPS signatures from their website under signatures but can't remove it with updates?

Comments 10 CommentsJump to latest comment

Elisha's picture

The log message you are seeing means that you have created exclusions for signatures that no longer exist.  You need to remove the exclusions for these signatures in SEPM for this log message to go away.

Here are the steps to do that:

1. Log into SEPM console and go to the "Clients" tab.

2. Click on "Intrusion Prevention" and edit the Intrusion Prevention policy where you are seeing this issue.

3. Click on "Exceptions" and delete any exceptions where the ID matches one of the log messages you are seeing.

0
Login to vote
ThaveshinP's picture

Ok, I don't have time to remove 1000+ signatures from the IPS policy as I have multiple policies. Why cant Symantec just remove or update them as disabled. SO much work - yet Symantec update their website with removing IPS signatures that are outdated.

0
Login to vote
Elisha's picture

We have already removed these IPS signatures.  That is why you are getting this message.  Now you need to remove them from your policy.

0
Login to vote
ThaveshinP's picture

@Elisha. OK - I get I have to remove them from the policy- but what happens if I have more than 1 policy that I have to update. That is alot of overhead admin that I have to do- when -(weekly, monthly) where this no notification in the console that the signature is outdated or removed. Also, why does'nt Symantec update the list accordingly - "We have already removed these IPS signatures" - with the updates. How come the update is not filtered to the policy itself.

0
Login to vote
Elisha's picture

We don't want to modify a customers policy automatically for many reasons.  However I understand that it is not easy to manually remove lots of signatures from the IPS exclusion list manually.  Especially since you have to remove them one-by-one.

I am curious why you have so many exclusions?  Normally you should only exclude signatures that are causing an issue for you, which should be very few, if any.

I recommend you create a whole new IPS policy and only add the exclusions you absolutely need.  Then you can replace the old IPS policy with this new one and delete the old one.

Note: also keep in mind that the message you are currently seeing is just a warring.  You can safely ignore it.

0
Login to vote
ThaveshinP's picture

Why not update just the IPS signatures only to show what is outdated - then atleast I know which ones to remove. I can't sit and do that every time as Symantec does not release what is outdated....

0
Login to vote
Elisha's picture

Yes, that is a good idea.  I am still curious why you have so many IPS exclusions?  Running that way is not recommended.

0
Login to vote
ThaveshinP's picture

For the complicated environment that my customer has currently there is a need for different policies. So I guess Symantec havent thought about it yet...

0
Login to vote
Elisha's picture

Complicated environments with different policies is expected.  We have many customers with that.  However what is unexpected is that you have so many exclusions enabled.  Normally you should only have a hand full of exclusions.  Exclusions should only be enabled if there is an issue with a particular IPS signature, which is not very common.

0
Login to vote
ThaveshinP's picture

IPS signatures are taken on the assumption that what the customer needs to be protected. Now , you expect me to go through 3000 signatures to decide which one's the customer doesnt need?? Please get Symantec to update the IPS signatures that have been disabled/removed. That is all.

0
Login to vote