Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

IPS Signatures Blocks VA Scanning

  • 1.  IPS Signatures Blocks VA Scanning

    Posted Dec 13, 2017 04:45 AM

    I am trying to perform an authenticated vulnerability scan on the endpoints and it not successful due to IPS signature.

    Is there any best pratices that i need to keep in mind.

     

     



  • 2.  RE: IPS Signatures Blocks VA Scanning

    Posted Dec 13, 2017 07:05 AM

    Is it happening on the endpoints? If so, just add the vulnerability scanner IP as an excluded host in the IPS policy.

    If this is happening on the vulnerability scanner running on Windows then your only options are to temporarily disable IPS before running the scan or withdraw the IPS policy.



  • 3.  RE: IPS Signatures Blocks VA Scanning

    Posted Dec 13, 2017 07:42 AM

    Even though I add the scanner IP in excluded host, the target machines rejects the incoming connections.

    Because the same IPS polices are in place for the target machines as well.

     

    Thanks
     



  • 4.  RE: IPS Signatures Blocks VA Scanning

    Posted Dec 13, 2017 07:46 AM

    Then what version is the SEPM and clients running? Did you verify policies all match?



  • 5.  RE: IPS Signatures Blocks VA Scanning

    Posted Dec 13, 2017 07:51 AM

    SEPM and client version is 14 & 12.6.

     

    Yes IPS polices are all enables for the endpoints.

     

    Thanks
     



  • 6.  RE: IPS Signatures Blocks VA Scanning

    Posted Dec 13, 2017 07:56 AM

    And the policy on the client matches exactly what shows in SEPM for these groups?

    Did you exclude via IP or host name? Or both? What signatures are firing?



  • 7.  RE: IPS Signatures Blocks VA Scanning

    Posted Dec 13, 2017 08:49 AM

    OS Attack: Microsoft SMB MS17-010 Disclosure Attempt

    Attack: Nessus Vulnerability Scanner Activity.

     

    For excluding, we have only option via IP and not hostname.

     

    If i refer to the below article i seems like you cannot only whitelist  the source scanner IP.

    https://support.symantec.com/en_US/article.TECH239693.html

     

     



  • 8.  RE: IPS Signatures Blocks VA Scanning

    Posted Dec 13, 2017 08:56 AM

    I use host groups, which include the ability to add the host name.

    Regardless, if everything is configured correctly then something else is going on. I'd suggest calling support so someone can remote in and review.



  • 9.  RE: IPS Signatures Blocks VA Scanning

    Posted Dec 14, 2017 12:41 AM

    Yes i contacted support and below was the answer

    "As per our discussion, Symantec endpoint protection does not allow Tenable Nessus vulnerability scanner to run"

    & gave the below link.

    https://support.symantec.com/en_US/article.TECH239693.html

     

    The host group can be used for the firewall policies but not for the IPS.

     

     



  • 10.  RE: IPS Signatures Blocks VA Scanning

    Posted Dec 14, 2017 06:34 AM

    I use Nessus and I add the scanners IPs to the excluded hosts file in the IPS policy. It works as expected so I don't know why support would say that.

    The only way it doesn't work is when IPS is installed on the Nessus scanner (if running on Windows OS) and IPS either needs to be temporarily disabled or removed. 



  • 11.  RE: IPS Signatures Blocks VA Scanning

    Posted Dec 14, 2017 08:10 AM

    Even tough I add scanner IP to the exception, the target machine would block it. Because those machines will also have the same IPS policies which will block the incoming traffic or connection.

     

     



  • 12.  RE: IPS Signatures Blocks VA Scanning

    Posted Dec 14, 2017 08:14 AM

    I can only suggest to continue working with support. I know for a fact this works because I dealt with this a couple of years back.