Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Active Response disengaged

Rafeeq

RafeeqFeb 10, 2017 01:00 PM

Any one of these hosts have dual NIC??

  • 1.  Active Response disengaged

    Posted Feb 10, 2017 11:33 AM

    Hello, 

    I have an network scanner and we do a Vulnerability scan on the random computers. Now as you all know the IPS would block any Port scan attemps for 600 seconds. 

    So I have added the Scanner IP address to the IPS policy > Excluded Host > IP Address of the Scanner

    I have also created a Firewall Rule to Allow all Traffic and Selected the Local/Remote combination to allow all Remote traffic from the Scanner's IP address. 

    Now when I check the IPS Attack logs I see that the 3 events 

    1) Active Response: The client will block the IP Address

    2) Port Scan: Somebody is scanning your computer

    3) Active Response that started at (Date) (Time)is disengaged.

     

    And the scanner is not yeilding the expected results. 

     

    Any help would be appriciated. 

    Thanks, 

     



  • 2.  RE: Active Response disengaged

    Posted Feb 10, 2017 11:39 AM

    Is the vulnerability scanner a Windows box, and, if so, is the IPS blocking its traffic on the vulnerability scanning box?



  • 3.  RE: Active Response disengaged

    Posted Feb 10, 2017 11:41 AM

    Hey Brian, 

    Yes its an OVA installed on a Windows Machine, 

    No the IPS is blocking the Traffic on the client machines with SEP which the scanner is trying to scan.



  • 4.  RE: Active Response disengaged

    Posted Feb 10, 2017 11:52 AM

    And the clients have the updated policy from SEPM after you made the policy changes?

    Creating the firewall rule is what would be needed first as it would be processed before IPS rules:

    http://www.symantec.com/docs/TECH226408



  • 5.  RE: Active Response disengaged

    Posted Feb 10, 2017 12:08 PM

    Right the clients have taken the latest policy serial number as well, 

    I have created both Firewall as well as IPS Rules, but does seem to be helping. 



  • 6.  RE: Active Response disengaged

    Posted Feb 10, 2017 12:09 PM

    I guess its passing thorough the Firewall but when IPS tries to do a Deep packet inspection that is when it blocks it or may be it is not able to hoour the exculded host IP address



  • 7.  RE: Active Response disengaged

    Posted Feb 10, 2017 12:11 PM

    Yes, if IPS is flagging it than the firewall rule took affect.

    Seems host exclusion is not being honored. What is the exact version of SEP and SEPM here?



  • 8.  RE: Active Response disengaged

    Posted Feb 10, 2017 12:17 PM

    SEPM and SEP both are on 12.1.6 RU6 MP5 (12.1.7004.6500)

    Any thing else we can try here?

     



  • 9.  RE: Active Response disengaged

    Posted Feb 10, 2017 12:30 PM

    It doesn't sound like these exceptions are being honored than. Without seeing screenshots or further detail, I'd suggest getting a case open so a support representative can remotely access your SEPM to troubleshoot further.



  • 10.  RE: Active Response disengaged

    Posted Feb 10, 2017 01:00 PM

    Please let me know what screenshots would you need? 



  • 11.  RE: Active Response disengaged

    Posted Feb 10, 2017 01:00 PM
    Any one of these hosts have dual NIC??


  • 12.  RE: Active Response disengaged

    Posted Feb 10, 2017 01:01 PM

    I have case opened with Symantec but that does not seem to be taking me nowhere.



  • 13.  RE: Active Response disengaged

    Posted Feb 10, 2017 01:14 PM

    @Rafeeq, No I have checked that those are normal client machines with a Single NIC on them 



  • 14.  RE: Active Response disengaged
    Best Answer

    Posted Feb 27, 2017 10:42 AM

    Hello All, 

    I was able to resolve the issue by changing the location Setting to Server Control as it was set to Client control which was not honouring the Firewall rules.