Why when you try to add an IPS browser exception signature it displays that it cannot be changed and by default is set to "Allow" and "log". Why
can I add the IPS signature but not change the setting to "Block" - what then is the purpose of adding signatures that will not take any action and yet it is recommened to be added ..
Case in point: IPS signature ID: 70103
from your post what is understand is that your trying to add an "IPS browser exception signature", and it is correct that an execption is set only to allow something which is already blocked. why are you trying to re-block it ?
and from the block post it is understood that SEP will block this attack should it occur.
Default is actually Block and Log so the only option is set to Allow.
It is added to the policy- but the action is set to allow ...not block as per when you initially add it. So are you saying that it "WILL" block it - even though the entry shows as "ALLOW" ??
Was it added as an exception at some point in the past?
The screen I showed above is what the default is for this signature.
If I add as an exception it will allow me to change the behaviour.
In your case, it will be allowed
How come yours shows as Intrusion Prevention, Attack and when I find the same signature it is on Browser prevention?
Not to my knowledge. My default signature is shown as browser and not IP, attack as your screen.
Not really sure....I assume your IPS sigs are up to date? Myabe create a new policy and check that one to see what it shows?
Just now I checked it even for me it is showing as blocked. can you please create a new IPS policy and check it ?
Will do so.
Checked and created a new IPS policy. Still shows the same not like your screenshot.
It is time for your log a support case
What's your SEPM version?
12.1.5 shows differently than 12.1.6.x
12.1.5 is what my screenshot shows
12.1.6.x is what you see.
So it comes down to different content for the different versions
Praveen, what version of SEP are you using?
Thaveshin, this is a browser IPS signature, it has both browser IPS and attack categories assigned to it.
Any signature that starts with a 5 or a 7 is Browser IPS.
I am using SEPM 12.1 RU5
In 184.108.40.206a I get the message:
"Browser signature exceptions are automatically set to Allow and Do Not Log. You cannot customize the action or logging setting"
That can't be right?
But in 220.127.116.11a they can't be changed from allow to block although I can add it as an exception I just can't edit it...
Yes, thats correct.. RU6 shows these correctly as Browser IPS, RU5 and below will show them as just IPS.
Q.Why when you try to add an IPS browser exception signature it displays that it cannot be changed and by default is set to "Allow" and "log". Why?
--> Latest signatures gets automatically added with the release of definitions to block such attacks in SEP environment.
Please clarify the following question again, what exactly you wants to achieve?
"can I add the IPS signature but not change the setting to "Block" - what then is the purpose of adding signatures that will not take any action and yet it is recommend to be added "
Browser IPS signatures are by default Block and Log, you can create exceptions for them, but the only exception you can create is Allow and Do No Log, ie a traditional type of exception. This is due to limitations in the engine - if its going to detect, then it has to block.
Thaveshin, all the signatures are enabled in blocking mode by default, what are you trying to change?
Brian, the UI isnt particularly intuitive here.. we should work on that :)
Yea, I was confused with that message :)
Interestingly enough I went back into the policy and it is now Block/Log
Weird things are a happening :) but looks ok now
Very strange. On a SEPM 12.1.6...Echo @ThaveshinP initial and @Brian observations and on the same attack signature...
What's weird was I saw the same behaviour and added it as an exception but was warned I couldn't change it. I removed from the exception list, went back in to the policy and pulled up the same signature and it was now showing as Block..very weird indeed...
This is progressively difficult to fathom! I did the same, deleted/revoked all "ALLOW" and then grabbed them all again and BAM - it shows default as Action=BLOCK and LOG. What is even more wierd it shows this???? Certainly not a good feeling to explain to management about this strange IPS (although Browser) behavior and under Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained (Article: TECH104434)
Currently running SEPM 12.1RU6Mp1a .
@Brian, I tried it over and over yesterday and it still stayed the same. let me check again and I will let you know.
@Paul Murgatroyd, I wanted to add the signature - which can be done - however the error message suggests that it cannot be set to Block and is set to default to Allow. Almost any signature that has browser protection is saying this. How can I then set IPS to block something that "allows" and only log...what is the point then....
Looks like when you view the signatures to be added to the IPS policy it shows block/log , but after you add it to the policy it remains set to allow/log ..I still can't change the action setting from allow to block. I get the same message:
In fact every single browser signature is set to allow and log. You cannot change the action to block...
I hope this can be resolved quickly and not wait another 3 months for another upgrade .probably to RU7......
Herewith a definition and clarity from Symantec support:
The browser signatures are already set to block attacks, you don't need to add them to the policy (in the list of exceptions), to confirm it.
You have to add a browser signature to the policy if you want to change the default action to something different. For browser signatures, the only alternative to "block" is "Allow and do not log" which is then automatically set for you.
Doesn't really address why they show as "Allow" initially.
Agree @ThaveshinP and @Brian! Management demands answers in the face of explicit articles touching the subject...i.e. Creating exceptions for IPS signatures (Article: HOWTO80883)(“For Windows computers, you cannot change the behavior of Symantec browser signatures; unlike network signatures, browser signatures do not allow custom action and logging settings. However, you can create an exception for a browser signature so that clients ignore the signature”). Progressively difficult position to be in...
@Justice, I agree 100%. Customer always wants to know and see documentation regarding this..