South Africa Security and Compliance User Group

 View Only
Expand all | Collapse all

Adding IPS browser exception signatures - cannot enable block

ThaveshinP

ThaveshinPAug 26, 2015 08:39 AM

PraveenAyappan

PraveenAyappanAug 26, 2015 08:45 AM

PraveenAyappan

PraveenAyappanAug 26, 2015 08:47 AM

  • 1.  Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 06:52 AM

    Why when you try to add an IPS browser exception signature it displays that it cannot be changed and by default is set to "Allow" and "log". Why

    can I add the IPS signature but not change the setting to "Block" - what then is the purpose of adding signatures that will not take any action and yet it is recommened to be added ..

    https://www-secure.symantec.com/connect/blogs/sundown-exploit-kit-adds-internet-explorer-exploit-any-other-kit

     

    Case in point: IPS signature ID: 70103



  • 2.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:13 AM

    from your post what is understand is that your trying to add an "IPS browser exception signature", and it is correct that an execption is set only to allow something which is already blocked. why are you trying to re-block it ?

    and from the block post it is understood that SEP will block this attack should it occur.



  • 3.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:17 AM

    Default is actually Block and Log so the only option is set to Allow.

    Capture_110.JPG



  • 4.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:19 AM

    It is added to the policy- but the action is set to allow ...not block as per when you initially add it. So are you saying that it "WILL" block it - even though the entry shows as "ALLOW" ??



  • 5.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:25 AM

    Was it added as an exception at some point in the past?

    The screen I showed above is what the default is for this signature.

    If I add as an exception it will allow me to change the behaviour.

    In your case, it will be allowed



  • 6.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:27 AM
      |   view attached

    How come yours shows as Intrusion Prevention, Attack and when I find the same signature it is on Browser prevention?

     



  • 7.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:28 AM

    Not to my knowledge. My default signature is shown as browser and not IP, attack as your screen.



  • 8.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:31 AM

    Not really sure....I assume your IPS sigs are up to date? Myabe create a new policy and check that one to see what it shows?



  • 9.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:32 AM

    Just now I checked it even for me it is showing as blocked. can you please create a new IPS policy and check it ?

     

    IPS.JPG



  • 10.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:39 AM

    Will do so.



  • 11.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:42 AM

    Checked and created a new IPS policy. Still shows the same not like your screenshot.
     



  • 12.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:45 AM

    It is time for your log a support case



  • 13.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:45 AM

    What's your SEPM version?

    12.1.5 shows differently than 12.1.6.x

    12.1.5 is what my screenshot shows

    12.1.6.x is what you see.

    So it comes down to different content for the different versions



  • 14.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:46 AM

    Praveen, what version of SEP are you using?

    Thaveshin, this is a browser IPS signature, it has both browser IPS and attack categories assigned to it.

    Any signature that starts with a 5 or a 7 is Browser IPS.

     



  • 15.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:47 AM

    I am using SEPM 12.1 RU5



  • 16.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:49 AM

    In 12.1.6.1a I get the message:

    "Browser signature exceptions are automatically set to Allow and Do Not Log. You cannot customize the action or logging setting"

    That can't be right?



  • 17.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:50 AM

    But in 12.1.6.1a they can't be changed from allow to block although I can add it as an exception I just can't edit it...



  • 18.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:50 AM

    Yes, thats correct.. RU6 shows these correctly as Browser IPS, RU5 and below will show them as just IPS.



  • 19.  RE: Adding IPS browser exception signatures - cannot enable block

    Broadcom Employee
    Posted Aug 26, 2015 08:52 AM

    Hi,

    Q.Why when you try to add an IPS browser exception signature it displays that it cannot be changed and by default is set to "Allow" and "log". Why?

    --> Latest signatures gets automatically added with the release of definitions to block such attacks in SEP environment.

    Please clarify the following question again, what exactly you wants to achieve?

    "can I add the IPS signature but not change the setting to "Block" - what then is the purpose of adding signatures that will not take any action and yet it is recommend to be added "



  • 20.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 08:58 AM

    Browser IPS signatures are by default Block and Log, you can create exceptions for them, but the only exception you can create is Allow and Do No Log, ie a traditional type of exception.  This is due to limitations in the engine - if its going to detect, then it has to block.

    Thaveshin, all the signatures are enabled in blocking mode by default, what are you trying to change?

    Brian, the UI isnt particularly intuitive here.. we should work on that :)



  • 21.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 09:08 AM

    Yea, I was confused with that message :)

    Interestingly enough I went back into the policy and it is now Block/Log

    Weird things are a happening :) but looks ok now



  • 22.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 07:52 PM
      |   view attached

    Very strange. On a SEPM 12.1.6...Echo @ThaveshinP initial and @Brian observations and on the same attack signature...



  • 23.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 07:58 PM

    What's weird was I saw the same behaviour and added it as an exception but was warned I couldn't change it. I removed from the exception list, went back in to the policy and pulled up the same signature and it was now showing as Block..very weird indeed...



  • 24.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 26, 2015 09:26 PM
      |   view attached

    This is progressively difficult to fathom! I did the same, deleted/revoked all "ALLOW" and then grabbed them all again and BAM - it shows default as Action=BLOCK and LOG. What is even more wierd it shows this???? Certainly not a good feeling to explain to management about this strange IPS (although Browser) behavior and under Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained (Article: TECH104434)



  • 25.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 27, 2015 01:42 AM

    Currently running SEPM 12.1RU6Mp1a .

    @Justice,  exactly.

    @Brian, I tried it over and over yesterday and it still stayed the same. let me check again and I will let you know.

    @Paul Murgatroyd, I wanted to add the signature  - which can be done - however the error message suggests that it cannot be set to Block and is set to default to Allow. Almost any signature that has browser protection is saying this. How can I then set IPS to block something that "allows" and only log...what is the point then....



  • 26.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 27, 2015 01:50 AM

    Looks like when you view the signatures to be added to the IPS policy it shows block/log , but after you add it to the policy it remains set to allow/log ..I still can't change the action setting from allow to block. I get the same message:

    "Browser signature exceptions are automatically set to Allow and Do Not Log. You cannot customize the action or logging setting"

    In fact every single browser signature is set to allow and log. You cannot change the action to block...



  • 27.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 27, 2015 02:01 AM

    I hope this can be resolved quickly  and not wait another 3 months for another upgrade .probably to RU7......
     



  • 28.  RE: Adding IPS browser exception signatures - cannot enable block
    Best Answer

    Posted Aug 27, 2015 04:47 AM

    Herewith a definition and clarity from Symantec support:

    The browser signatures are already set to block attacks, you don't need to add them to the policy (in the list of exceptions), to confirm it.
    You have to add a browser signature to the policy if you want to change the default action to something different. For browser signatures, the only alternative to "block" is "Allow and do not log" which is then automatically set for you.



  • 29.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 27, 2015 07:54 AM

    Doesn't really address why they show as "Allow" initially.



  • 30.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 27, 2015 08:59 AM

    Agree @ThaveshinP and @Brian! Management demands answers in the face of explicit articles touching the subject...i.e. Creating exceptions for IPS signatures (Article: HOWTO80883)(“For Windows computers, you cannot change the behavior of Symantec browser signatures; unlike network signatures, browser signatures do not allow custom action and logging settings. However, you can create an exception for a browser signature so that clients ignore the signature”). Progressively difficult position to be in...

     

     



  • 31.  RE: Adding IPS browser exception signatures - cannot enable block

    Posted Aug 28, 2015 01:28 AM

    @Justice, I agree 100%. Customer always wants to know and see documentation regarding this..