ビデオヘルプ
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP 12 RU1 MP1 IPS blocks application and dont log

作成: 06 Nov 2012 • 更新: 06 Nov 2012 | コメント数: 9

Hi all,

I have a strange behavior. On a server i have an application that I can connect via browser even localhost for testing purpose.

When the IPS is installed and a basic IPS Policy is available the application does not work and dont show anything on the browser end. In the logs there is no entry at all.

After I whitedrawed the IPS policy the application works.

Does anyone has a clue about this and especially why there is nothing in the logfile client and SEPM side?

Thanks

toby

コメント コメント数: 最新のコメントを表示

.Brian の写真

Nothing in security log showing?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade の写真

Hi,

Could you please provide application details? i.e. Application name, inhouse developed or any other developer etc.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

toby の写真

Nothing in any relevant log... 

the software is hp discovery (ddmi)

------------------------------------------------------------------

Best regards!

toby

CISSP / STS / MCP 

Yahya の写真

To see all IPS action logs, you need to add all IPS signature to IPS exceptions (in the IPS policy), and change any settings from "not log" to "log". You will be able to see all of them now.

toby の写真

But this would mean its all disabled then, right?

I thought that in case of an detection I always be able to see what it was, what would be necessary in my case to have an exclusion for the application to be able to run and this is what is missing to have the one detection displayed to exclude and leave the IPS running for the rest.

------------------------------------------------------------------

Best regards!

toby

CISSP / STS / MCP 

Yahya の写真

Anything you add in the list, you have he chance to change it default action. Some IPS signatures have "not log" and you can change it to "log" instead. Once you have this IPS action detected and logged, you can exclude it.

Chetan Savade の写真

Hi,

Could you please run SST on affected computer.

Apply the IPS policy and after that gather the logs.

Here is the location of the Symantec Endpoint Protection Support Tool:

http://www.symantec.com/business/support/index?pag...

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

toby の写真

it seems with SEP12 RU2 the IPS Policy is better and now everything that is blocked is also logged. In addition events that are not logged are not blocked, but can be enabled via the exclution to either allow or block and log.

So great help in terms of log correlation.

cheers, toby

------------------------------------------------------------------

Best regards!

toby

CISSP / STS / MCP