Endpoint Protection

  • Private Community
 View Only

  • 1.  Logging the HIDS component

    Posted Jul 09, 2009 07:57 AM
    Can someone please share their experience on the steps to take to only log the HIDS (Host Intrusion Detection System) component of Symantec Endpoint and not do anything (like quarantine).  I'm in charge of testing the Endpoint Protection Manager, ver 11.0. 

    Any help would be greatly appreciated.


  • 2.  RE: Logging the HIDS component

    Posted Jul 09, 2009 08:04 AM
    R u using SNAC in live or test environment??

    U can craete a policy to log only.


  • 3.  RE: Logging the HIDS component

    Posted Jul 09, 2009 08:35 AM
    I'm using SNAC in a test environment.  Could you tell me the steps to take to create a policy to log only?  Thank you.


  • 4.  RE: Logging the HIDS component
    Best Answer

    Posted Jul 09, 2009 09:10 AM
    Symantec Endpoint Protection has HIPS in the Network Threat Protection Component.
    You can however use it as HIDs by changing the Action for all rules from block to Allow and LOG.

    However whenever a new Definition ( IPS Rules )  will get downloaded you will have to change the Action for that rule.

    Steps to do this:
    Login to SEPM -Policies -Intrution Prevention-
    Edit -Intrution Prevention policy ->
    Exceptions -> Select All -> Next -> Change Action : Block to Allow Log : Log the Traffic

    If you want to disable the Intrution Prevention Alert notification on the client that cab done from

    SEPM -Clients- select the Group and Click the policy tab on the right hand side..
    Location Specific settings - Server Control -Customise -Uncheck display Intrusion Prevention notification



  • 5.  RE: Logging the HIDS component

    Posted Jul 09, 2009 09:20 AM
    Greatly appreciate your help!!