Endpoint Protection

Hello I closed teh other post to early I guess. If a user gets the

denial of service is logged

Then the client is beeing attacked from the outside is that right?

The client I am working for is saying IPS is not seup to examine out-bound packets they think

what should be the process when getting this type of message on a machine?

We get phony DOS log entries from computers on our OWN network.
Apparently SEP believes that things coming from our remote offices to the DCs are DOS packets and blocks them.
So far, the case has not yielded any solution or reason.
What's happening in OUR case is this - clients that connect to our network through a Cisco ASA5505 are seen as attacking our DC servers, HOWEVER, Cisco says the packets are normal - they see no such attacks. AND, these are our own machines. Exactly identical in every single way to computers here in the home office with SEP never sees as attacking our DCs.
And in fact, we've never ever in a whole year seen a DOS attack against us - except when SEP says our own computers are attacking us.
SO, check the logs - check the source and destination IP addresses, MAC addresses, etc.  That is what the process should be. IF IT'S REAL, SEP will block the offending packets and you really need to do little more, IMO. But do check the logs for DETAILS.
A TRUE DOS attack lasts for more than just a packet or two.......... and will indeed come from the outside. Check the details.

If you want to find which pc is sending packets to your the  Risk Tracer shold be enabled
Below article will give a nice picture about this feature
Worms and threats that spread across networks by network shares have become more common in recent years.--Like Downadup/Conficker

what log shoudl I request from the client, or from the database to review?

do I just request the

seclog.log --IPS security Log

or shoudl I do something from SEPM instead? thanks guys

You can find out it from SEPM (I think this is easy). You can fin same information from traffic log from the client also... 
Pls read carefully the article which is present in my earlier post..

ok i wil going to request the seclog.log and go from there i will post back thanks guys

 I think this information is present in tralog.log

The IPS rule that defines DOS attacks is hard coded in such a way that any burst of traffic from any given IP address will trigger it.

Yes, but in our case, it's phoney.
There is no such burst, it's seeing the packets ONLY from certain computers behind our firewalls/ASAs as attackers - and it's actually flagging them as LARGER than normal packets and determining it as a DOS because it is seeing LARGE packets.
There are no such packets coming in according to Cisco!
So we're working a case (albiet VERY slowly) to find out why SEP is flagging ONLY a few computers ONLY behind an ASA as sending packets that are too big - when they are not.....

yes view the ports analyse the IP's and you need to determin if it is False postive or a real attack..
In some cases if you have monitoring server it also causes false dos alerts..in that case you might need to create exceptions for these IP addresses.