We get phony DOS log entries from computers on our OWN network.
Apparently SEP believes that things coming from our remote offices to the DCs are DOS packets and blocks them.
So far, the case has not yielded any solution or reason.
What's happening in OUR case is this - clients that connect to our network through a Cisco ASA5505 are seen as attacking our DC servers, HOWEVER, Cisco says the packets are normal - they see no such attacks. AND, these are our own machines. Exactly identical in every single way to computers here in the home office with SEP never sees as attacking our DCs.
And in fact, we've never ever in a whole year seen a DOS attack against us - except when SEP says our own computers are attacking us.
SO, check the logs - check the source and destination IP addresses, MAC addresses, etc. That is what the process should be. IF IT'S REAL, SEP will block the offending packets and you really need to do little more, IMO. But do check the logs for DETAILS.
A TRUE DOS attack lasts for more than just a packet or two.......... and will indeed come from the outside. Check the details.