spacer
Support - Platinum Support
tab end BCS Web Site divider MySupport divider Log Out navbar end
navbar end home symantec alerting service security center knowledge base navbar end
spacer
BCS Knowledge Base

spacer
spacer

Rate This Document
1x3 spacer
1x1 spacer

print this documentDocument ID:2008032011043948
Last Modified:05/12/2009

Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained

Situation:You need more details about the Options in the Policies of the Symantec Endpoint Protection Manager (SEPM)

Solution:Settings

Use this page to enable or disable the intrusion prevention settings for the client.

You can configure the intrusion prevention settings that can detect and prevent attacks that you otherwise would have to create signatures for. You can exclude specific network activity from monitoring or alerting, and automatically block an attacking computer.

Table: Intrusion prevention options
Option
Description
Enable Intrusion PreventionEnables the intrusion prevention system engine that checks IPS signatures, exceptions to IPS signatures, and custom signatures.
The IPS analyzes network packets and compares them with both known attacks and known patterns of attack. If the IPS the packets match a known attack or pattern of attack, the IPS blocks the inbound traffic.
You can download IPS signatures, exclusions to IPS signatures, or custom IPS signatures to the client at any time. However, unless the intrusion prevention system is enabled, the client does not compare the signatures in the IPS libraries with the inbound or the outbound traffic.
The attacks are logged in the Security Log. You can configure notifications to appear if the client computer detects an attack.
This option is enabled by default.
Enable denial of service detectionCauses the client to check inbound and outbound traffic for known denial-of-service attack patterns. Denial-of-service attacks are an explicit attempt by an intruder to prevent legitimate users of a service from using that service.
This option is enabled by default.
Enable port scan detectionDetects if another computer scans the client computer's ports.
Hackers use port scans to determine which of the client computer's ports are open to communication. The client dynamically blocks the ports and therefore protects the computer from hacking attempts.
If the client detects a port scan, it displays a notification.
If you disable this option, the client does not detect any scans or notify the user, but still protects the ports from hacking attempts.
This option is enabled by default.
Enable excluded hostsEnables you set up a list of hosts for which the client ignores all inbound and outbound traffic.
The firewall and the IPS signatures do not scan these hosts for firewall rules, matching attack signatures, port scans, anti-MAC spoofing, or denial-of-service attacks.
This option is disabled by default.
Automatically block an attacker's IP addressBlocks all the communication from a source host for the specified number of seconds when the client detects an attack. For example, if the client detects a denial-of-service attack, the client blocks all traffic from the originating IP address. This feature is also called active response.
This option is enabled by default.




Exceptions

Use this table to view the exceptions to the IPS signatures that LiveUpdate downloads to the Symantec Endpoint Protection Manager console. You can change the default action and the log action before you download the signatures to the client.

If you create an exception to a signature, it appears in the list. If you want to remove the exception, click Delete. If you edit the behavior so that the behavior is the same as the signature's original behavior, the signature remains in the list.

Table: Exceptions options
Option
Description
IDThe ID that Symantec assigns to each signature.
Signature NameThe name of signature.
SeverityThe level of danger that the traffic packet causes if the signature detects it.
CategoriesType of signature.
ActionThe action that the client takes on the traffic packet that matches the IPS signature.
LogThe logging action that the client takes on the traffic packet that matches the IPS signature.


Technical Information:
KB 2008032011103348 - Overview - Policies
KB 2008032010461048 - Antivirus and Antispyware
KB 2008032010523548 - Application and Device Control
KB 2008032010550448 - Centralized Exceptions
KB 2008032011023248 - Firewall
KB 2008032011043948 - Intrusion Prevention
KB 2008032011064948 - LiveUpdate


References:Online Help - SEPM

print this documentDocument ID:2008032011043948
Last Modified:05/12/2009


rate this document
Does this document answer your question?
Yes
No
Maybe, need to test
None of the above
Is this document well written and easy to use?
Submit specific suggestions to improve the quality of this document.


Product(s): Endpoint Protection 11
Operating Systems(s): Windows Server 2003 Web/Standard/Enterprise/Datacenter Edition
Date Created: 03/20/2008

  © 1995-2014 Symantec Corporation. All rights reserved. feedback | legal notices | privacy policy