EMEA Endpoint Management and Mobility Group (EMM)

 View Only

  • 1.  automaticeally block an attackers ip address in symantec endpoint protection client

    Posted Jan 21, 2014 05:10 AM

    Default Rule
    automaticeally block an attackers ip address in symantec endpoint protection client

    number of seconds during which to clock the ip address"-600

     

    afte hit the site i get below mention error

     

    http://www.yashwanthindustries.com/

     

     

    [side:26591] we attack red explokit kit redirect 2 detected


    the client will block from ip address 172.*.*.*
    for next 600 seconds(from date */*/* time 1:24 date 1/*/* 1:34 )

     

    symantec support suggesting me to disable one firewall option ( Enable denial of service detection ) but i don't think so it is best practice.

     

     



  • 2.  RE: automaticeally block an attackers ip address in symantec endpoint protection client

    Posted Jan 21, 2014 05:15 AM

    seems like this is being blocked from IPS rule, very much similar to this

     

    http://www.symantec.com/business/support/index?page=content&id=TECH104810

     

    • Click on the Policies tab.
      • Click on Intrusion Prevention under View Policies.
        Click on Add an Intrusion Prevention Policy under Tasks.
        Click on Exceptions > Click on the Add button > Hold down look for the SID whats shown in the popup Click on the Next button.
        Change the Action drop-down selection to 'Allow' and the Log drop-down selection to 'Log the traffic.'
        Click on OK and then OK again to save the policy.
      · Update the policies on any affected clients.


  • 3.  RE: automaticeally block an attackers ip address in symantec endpoint protection client



  • 4.  RE: automaticeally block an attackers ip address in symantec endpoint protection client

    Posted Jan 21, 2014 05:42 AM

    Add the IPS signature as an exclusion, see hereon how to

    How to exclude individual IPS signatures in the IPS policy

    https://www-secure.symantec.com/connect/articles/how-exclude-individual-ips-signatures-ips-policy



  • 5.  RE: automaticeally block an attackers ip address in symantec endpoint protection client

    Posted Jan 21, 2014 01:16 PM

    Don't make an exclusion.

    I tried to navigate to your URL on a system not protected by SEP. With Firefox, the built-in Phishing and Malware protection kicked in and prevented access. With IE, a third-party security application raised an alarm because of a (not requested, of course) malware download.

    So three independent sources distrust this site. Two of them discover malware. That's not a false positive.

    #EDIT

    See Google's Safe Browsing comment to this site:

    http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en&site=http://www.yashwanthindustries.com/

     



  • 6.  RE: automaticeally block an attackers ip address in symantec endpoint protection client

    Posted Jan 22, 2014 12:33 AM

    How we can diagnose any diffrent site in http://safebrowsing.clients.google.com.

     

     

    if i exculde this it is working fine but i dont want to go for exculsion ips signature.