Endpoint Protection

Hi all, Just noticed that there a whole load of these errors. Is this my SEPM with a problem or is it the defs that are downloaded from Symantec that have the problem?

Failed to set a custom action for IPS signature 22270 (errcode=0x80010221). Most probably, this IPS signature was removed from the IPS content.

Cheers

PaulC

It just means you had a signature enabled that has since been depracated/removed/no longer exists. SEPM does not auto-remove these and requires you to do this manually.

See this thread:

Warning: failed to set a custom action for IPS signature in Endpoint Protection 12.1

http://www.symantec.com/connect/forums/client-log-show-ips-signature-failed#comment-10290221

It's not ideal but rest assured there are no actual "issues" with your SEPM or SEP client.

Hello,

Check this Article:

Warning: failed to set a custom action for IPS signature in Endpoint Protection 12.1

http://www.symantec.com/docs/TECH217755

Cause

The involved IPS signatures are deprecated.

Solution

Remove the exceptions for the deprecated IPS signatures by editing the appopriate Intrusion Prevention policy in Symantec Endpoint Protection Manager.

List of current IPS signatures can be found here: http://www.symantec.com/security_response/attacksignatures/

Regards,

Hello,

TECH217755 was last updated on 26th March'2015. However you can try the steps given in the article & let me know if need any assistance.

From Symantec end there is not any known issue with IPS signatures.

Sorry for late reply to this. Any idea as to how I can track where these IPS signatures so I can then clear this problem. Although it may not be a problem, it does not look good.  :(

Failed to set a custom action for IPS signature 22270 (errcode=0x80010221). Most probably, this IPS signature was removed from the IPS content.

Failed to set a custom action for IPS signature 21596 (errcode=0x80010221). Most probably, this IPS signature was removed from the IPS content.

and

Failed to set a custom action for IPS signature 21206 (errcode=0x80010221). Most probably, this IPS signature was removed from the IPS content.

Thanks PaulC

Look at the number after the "IPS Signature"...22270, 21596, 21206

In the IPS policy go to Exceptions >> Add and you should be able to search for them on the ID column. Not an easy way though...

OK found them. Is it safe to delete them from the policy? Just double checking. These are the ID's :-

ID 21260  Audit: Skype Requesting Updates

ID 22270  Attack: HTTP RTF File Drawing Obj Property DoS

ID 21596  Audit: Jabber IM Client Connection

Also are these IP signatures from Symantic or have they added in manually at some stage?

PaulC

Hi PaulC,

You can't delete them from the policy. You can either allow or block through the policy. These gets updated by Symantec liveupdate server.

See the below screenshot, By default action for ID 22270 is in block state however you can allow if it's necessary.

These are from Symantec, who needs to delete them from the policy via their LU server/content updates.

It's been a known problem for some time now.

The problem is that someone manually edited the IPS signature and because of that Symantec won't automatically remove because it was a custom action so it leaves it alone.

Will that be manually added from my SEPM or something done by Symantec?

Sorry being a bit dumb on this...

PaulC

An admin (yourself, someone else on your team) who set a custom action on one of those signatures.