Endpoint Protection

We have the security PC doing AppScan on regualr basis but being blocked by Intrusion Prevention

How can I create Exception for this PC to do the AppScan?

Submit the application to symantec using the link below they will then assess the file and remove it from detections. Can take them up to 72 hours. 

https://submit.symantec.com/false_positive/

Just add it as an excluded host in the IPS policy. AppScan is for doing web pentesting and SEP has multiple detections against this,

Yes, I have added as exclusion but still the application is getting blocked by the IPS signatures.

Should we create a firewall policy?

Did you add the AppScan IP to the Excluded Hosts list? If so, did the clients pick up the policy change?

I don't believe adding a firewall rule will help in the event that these are detections by IPS.

Yes added the IP to the excluded hosts itself and still the users are getting blocked.

Ok, so this is on the AppScan server itself? If so, then your only two options are to remove the IPS component or disable IPS and do your scanning then re-enable once complete.

I brought the same issue up with Nessus vulnerability scanner long ago:

https://www.symantec.com/connect/ideas/sep-121-ips-application-exclusion-enhancement-request

Hello Brian,

The Security team have installed the App Scan application on their machine and then when they are trying to scan diffreent endpoints, they are getting this issue.

So if add the AppScan PC 's as excluded Hosts, wont they be able to do the scan?

Will creating  a firewall policy enable traffic between AppScan and endpoints?

That's correct. Excluded Hosts will not work for them.

The only options are to remove the IPS component or temporarily disable it - per what I linked above.

These IT security staff were able to scan earlier . But recently the PC was replaced with windows 10 and hence it proves that some change needs to made in policy, so that they can scan again

Please put in your valuable inputs

Check with support. Excluded Hosts in IPS does not work on the scanner itself. It is used to put in the IP address of the scanner as a remote host and IPS on clients will exclude the scanner IP from its IPS detections.

We are having the same issue and need to ability to scan our environment for vulnerabilities. I have followed all of the recommended steps/suggestions with no success. Please see all related documents in Case 13548856.

Please either update the signatures or enhand the Endpoint Protection Small Business Edition so that we are able to exclude nessus from the IPS alerts/blocks.