Endpoint Protection

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

SEP IDS

  • 1.  SEP IDS

    Posted Sep 03, 2019 08:46 AM

    Hi All,

    We have whitelisted the some of our IPs in IPS policy so now it wont be preventing the traffic but should it log as security log if any attacks comes through?

    Can we place some mechanism where we can get the alerts for security logs which is an attack detected by IDS?

     

    Regards

    Dev

     



  • 2.  RE: SEP IDS

    Posted Sep 03, 2019 10:22 AM

    Hi Dev,

    Thanks for the post. Use exceptions/exclusions with great caution!  If an IP Address is whitelisted for IPS, IPS will let all traffic from that IP Address through.

    What sort of unwanted IPS detection are you trying to overcome?

    It may be a better solution to create a SEP client group for the computers which are involved and apply- only to that group- a policy which has the action for those IPS signatures set to Log rather than Block.   



  • 3.  RE: SEP IDS

    Posted Sep 04, 2019 12:30 AM

    Thanks for the reply Mick, I have IDS/IPS solution on firewall and for some testing purpose I have whitelisted the IPs,Can the detection logs will be logged as just security logs, I do not Symantec to stop(prevent) them instead just detect?



  • 4.  RE: SEP IDS

    Posted Sep 04, 2019 02:31 AM

    It is possible to customize the IPS policy, changing the behavior for individual signatures from Block to Log Only. 



  • 5.  RE: SEP IDS

    Posted Sep 04, 2019 03:32 AM
      |   view attached

    Can you please point me to documents or steps where I can change the signatures , Should this be changed as per snapshot where i have to just tick log detections but do not block?



  • 6.  RE: SEP IDS

    Posted Sep 04, 2019 08:37 AM

     



  • 7.  RE: SEP IDS

    Posted Sep 04, 2019 08:38 AM



  • 8.  RE: SEP IDS

    Posted Sep 04, 2019 09:59 AM

    So the snapshot which I pasted is only for browser intrusion prevention?



  • 9.  RE: SEP IDS

    Posted Sep 05, 2019 04:57 AM

    I recommend a bit of experimentation in your test environment- with a little practice you'll soon have it performing the way you like. 



  • 10.  RE: SEP IDS

    Posted Sep 05, 2019 04:58 AM

    Thanks for the help Mick, I have one more query can I setup mail notification for detected logs?If yes can you please guide me the steps?



  • 11.  RE: SEP IDS

    Posted Sep 05, 2019 11:39 AM

    This should help:

    How to Configure Symantec Endpoint Protection Manager to Send Email Alerts
    https://support.symantec.com/us/en/article.tech104394.html



  • 12.  RE: SEP IDS

    Posted Sep 05, 2019 01:41 PM

    Thank you.



  • 13.  RE: SEP IDS

    Posted Sep 06, 2019 08:32 AM

    Hi Mick,

    As you suggested the link , there are many notifications to choose when I follow the link https://support.symantec.com/us/en/article.tech104394.html.

    Authentication Failure

    Client list Change

    Client security Alert

    Client with unsupported version

    Download protection content out of date

    File reputation lookup alert

    Forced Application detected 

    IPS signature out of date

    License issue

    Memory Expolit mitigation detection

    Network load alert

    New learned application

    New risk detected 

    New Software package 

    New User allowed Download

    Risk outbreak

    Server health

    Unmaganed computer

    My requiremt is to get the notication of detected logs which will go to security log, so I am thinking to go for option "New risk detected ", would this be right approach?

    Regards
    Dev

     



  • 14.  RE: SEP IDS

    Posted Sep 09, 2019 11:21 PM

    I have configured the notification as suggested in the link but unfortunately I am not receivng any alerts.