Hello,
Most likely a false positive that will be corrected before you can submit anything for IPS false positive (I don't have access to confirm with Security Response.) We haven't gotten any reports of this yet at TD. Regardless, here is the process for submitting info on IPS false positive
- Ensure that the SEP client has the latest available IPS definitions in place. Run LiveUpdate or compare the “Network Threat Protection” definition date on the client matches the latest available listed on Security Updates.
- Note if the intrusion is inbound or outbound, note the source and destination IP address (or domain), and note the exact IPS event number and name. (These details must be provided when reporting the suspected False Positive.)
- If the IPS event occurs when simply accessing a public website, copy the exact URL and details necessary to reproduce the issue.
- Otherwise, using Wireshark, TCPDump or another packet capture tool, whitelist that domain or disable that IPS signature, then record the traffic which triggers the IPS event. A video demonstrating how to capture network traffic is available. Be sure to enable that IPS signature once again immediately after the traffic is collected!
Once the data is collected, please submit it to: https://symsubmit.symantec.com/false_positive
Rob
TechData Support Services