Hello,
Seems IPS has blocked legitimate intrusions.
I would suggest you to check if there are suspicious Browser add-ons installed.
Could you check the Virus Logs and Threat logs if Symantec has detected any threats?
If Yes, Turn on the Risk Tracer from the SEPM and get the details from Risk Logs. (Risk Logs could taken from SEPM and exported and Opened in Excel)
Here are the Links:
1) About Risk Tracer
http://www.symantec.com/docs/HOWTO27137
2) What is Risk Tracer?
http://www.symantec.com/docs/TECH102539
3) How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection
http://www.symantec.com/docs/TECH94526
NOTE: For Risk Tracer to work Correctly, you would require Network Threat Protection Installed and Enabled on all machines.
Risk Tracer can be extremely useful in informing what computers to isolate and scan. For illustration, export a Log History Report from the SEPM and hide many of the columns that do not relate to Risk Tracer.
Example:
"Monitors Tab" on the left hand pane.
"Logs" on the tab menu (Top of Screen)
"Log Type:" Risk
Default Filter
"View Log" button
Export Search Results.
Import into Excel.
Results below.
Example of Risk Tracer |
Event
|
Computer Name
|
Source
|
Source Computer Name
|
Source Computer IP
|
Virus Found
|
TEST-130
|
Auto-Protect scan
|
TEST-01
|
10.14.3.13
|
Virus Found
|
TEST-055
|
Auto-Protect scan
|
TEST-01
|
10.14.3.13
|
Virus Found
|
TEST-065
|
Auto-Protect scan
|
TEST-01
|
10.14.3.13
|
This log is indicating that TEST-01 at 10.14.3.13 should be isolated from the network and scanned. It is reportedly infecting other computers.
Please note that Risk Tracer relies upon very basic network awareness functionality. The computer name and IP that are listed were connecting to the SAV or SEP client at the time the infection was detected, but there may have been other connections as well. Symantec Technical Support recommends comparing the logs of several clients and noting which remote computer names and IPs keep coming up.
Hope that helps!!!