Detecting potential attacks and spoofing attempts

You can enable the various settings that enable
Symantec Endpoint Protection
to detect and log potential attacks on the client and block spoofing attempts. All of these options are disabled by default.
Settings that you can enable
Setting
Description
Enable port scan detection
When this setting is enabled,
Symantec Endpoint Protection
monitors all incoming packets that any security rule blocks. If a rule blocks several different packets on different ports in a short period of time,
Symantec Endpoint Protection
creates a Security log entry.
Port scan detection does not block any packets. You must create a security policy to block traffic when a port scan occurs.
Enable denial of service detection
Denial of service detection is a type of intrusion detection. When enabled, the client blocks traffic if it detects a pattern from known signatures, regardless of the port number or type of Internet protocol.
Enable anti-MAC spoofing
When this setting is enabled,
Symantec Endpoint Protection
allows the following incoming and outgoing traffic if a request was made to that specific host:
  • Address resolution protocol (ARP) (IPv4)
  • Neighbor Discovery Protocol (NDP) (IPv6)
    Supported as of version 14.2.
All other unexpected traffic is blocked and an entry is generated to the Security log.
To configure these settings in mixed control, you must also enable these settings in the
Client User Interface Mixed Control Settings
dialog box.
  1. To detect potential attacks and spoofing attempts
  2. In the console, open a Firewall policy.
  3. In the
    Firewall Policy
    page, click one of the following:
    • Under
      Windows Settings
      :
      Protection and Stealth
    • Under
      Mac Settings
      :
      Protection
      Mac settings are available only as of version 14.2.
  4. Under
    Protection Settings
    , check any of the options that you want to enable.
  5. Click
    OK
    .
  6. If you are prompted, assign the policy to a location.