Critical System Protection

View Only

Back to Library

How to install the SCSP SymIDS ISAPI filter on Windows Server 2008 R2

Recommend

Aug 07, 2012 10:59 AM

Migration User

Content:

Descriptive steps
Troubleshooting IIS
Related articles

Descriptive steps

The Microsoft IIS policies detect attacks on Microsoft IIS Web servers using a specially designed ISAPI filter. This filter collects data from incoming HTTP traffic to the Web server and writes it to <installdir>\IDS\SymIDSFilterLog\SymIDSFilter.log.
You must install this filter on a Web server that is being monitored by a Symantec Critical System Protection agent.
This filter must be installed to enable detection in the following IIS log monitoring policies:

Malware (to enable the WebDAV, CodeRed, and Nimda rules)
MS_IIS_Vulnerable_CGI_Scripts
SANS (to enable the text log rules)

Installing the ISAPI filter

The ISAPI filter is a file that is named SymIDSFilter.dll, and by default is located in the C:\Program Files\Symantec\Critical System Protection\Agent\IDS\bin directory. After you install the SymIDS ISAPI filter, you must restart the IIS service.

Note: If a different directory location was specified during agent installation, please refer to that directory location (<installdir>\IDS\bin).
Warning: After an agent upgrade, if you loaded the SymIDSFilter.dll file from a location other than the installation directory (<installdir>\IDS\bin), you must manually replace the SymIDSFilter.dll file with a new copy, and restart IIS.

The <installdir>\IDS\SymIDSFilterLog\SymIDSFilter.log file truncates to zero size when it grows greater than 10MB.
The directory that contains the ISAPI filter should be accessible only to administrators or a members of the Administrators group on the local computer.

To install the SymIDS ISAPI filter

a. Click Start > Programs > Administrator Tools > Internet Information Services (IIS) Manager.

b. In the Internet Information Services (IIS) Manager window, open the ISAPI Filters feature: