Managing intrusion prevention

Protect your endpoints against ransomware and malware with the Intrusion Prevention System (IPS). IPS is the first layer of defense against malware after the firewall on Windows and Mac clients.

What is intrusion prevention and what does it do?

Intrusion Prevention:
  • Blocks over 70% of attacks before they break into your organization’s network. Even after malware breaks into your organization, IPS detects malware in the infestation and exfiltration phase. During this phase, IPS blocks threats as they travel through the network.
  • Detects ransomware attacks by using the URL reputation, which prevents web threats.
  • Is a one-of-a-kind protection that no other security company uses.
IPS blocks malware at the network layer before the payload arrives on the endpoint, as it scans both inbound and outbound network traffic. IPS is able to:
  • Recognize and understand various network protocols and provide custom protection for each type.
  • Use pattern matching to identify unknown and known threats.
  • Block command-and-control (C&C) communications to known malicious URLs and IP addresses using Symantec’s Insight Intelligence.
On Endpoint Security, IPS uses over 400 of audit signatures. Audit signatures are signatures that do not have a default action.
Symantec recommends that you install the client software on servers as well as desktop computers. In addition, Symantec recommends that you move server endpoints to the same group.
For more information about signatures, see:

Step 1: Enable intrusion prevention

IPS is enabled by default so that your computers are always protected.
Symantec recommends that you always keep IPS enabled.
The following IPS capabilities are also enabled by default:
Browser Intrusion Prevention for Windows
IPS web browser signatures allow and block inbound and outbound browser traffic. The Google Chrome browser extension is installed by default in 14.3 RU2 and later.
Symantec Endpoint Protection
Network Intrusion Prevention
Network IPS signatures protect against network attacks.
  • Symantec Endpoint Protection
  • Symantec Endpoint Security
URL reputation
URL reputation detections identify threats from domains and URLs, which can host malicious content like malware, fraud, phishing, and spam, etc.
URL reputation blocks access to web addresses that are identified as known sources of malicious content. The information from visited URLs is sent to Symantec to retrieve a reputation rating.
  • Symantec Endpoint Protection
  • Symantec Endpoint Security
For servers that have the client software installed on them, enable the following settings in the
Intrusion Prevention
Out-of-band scanning
Applies multi-threaded scans to improve performance.
Use signature subset for servers
Applies signatures that prevent the most commonly known threats on servers.
Endpoint Protection performance tuning settings:
Endpoint Security performance tuning settings:
More information

Step 2: Block ransomware by using URL reputation (14.3 RU2 and later)

IPS is the best defense against drive-by downloads, which occur when software is unintentionally downloaded from the Internet. Attackers often use exploit kits to deliver a web-based attack like CryptoLocker through a drive-by download.
In some cases, IPS can block file encryption by interrupting command-and-control (C&C) communication. A C&C server is a computer that an attacker or cybercriminal controls to send commands to systems compromised by malware in order to receive stolen data from a target network.
For 14.3 RU2 and later clients, URL reputation blocks these drive-by downloads, as long as URL reputation is enabled.
Endpoint Protection URL reputation settings:
Endpoint Security URL reputation settings:
More information

Step 3: (Optional) Add custom IPS signatures

To identify a specific intrusion and reduce the possibility of signatures that cause a false positive, you can write your own custom network intrusion prevention signatures. The more information that you can add to a custom signature, the more effective the signature is.
Custom IPS signatures are only available in Symantec Endpoint Protection. They will be available in Symantec Endpoint Security soon.
More information

Step 4: (Optional) Configure a custom notification for client users when IPS detects suspicious activities

When IPS detects suspicious activity on the client, it sends a notification to client users. You can keep the default notification text or replace it with a custom message.
Endpoint Protection notification settings:
More information
Endpoint Security notification settings:

Step 5: (Optional) Run a report on IPS detections

To gain better visibility into IPS detections and the network security posture of your organization, run the following reports:
  • In Symantec Endpoint Protection, run a
    Network and Host Exploit Mitigation
  • In Symantec Endpoint Security, run an
    Intrusion Prevention
Endpoint Protection report settings:
More information
Endpoint Security report settings:

Troubleshooting IPS issues

The IPS signatures detect threats that may or may not be malware. If you think that the signature is not associated with potentially malicious activity in your environment and is a false positive, you can create an exception to prevent IPS from using that signature.
To mitigate a false positive, do one of the following tasks:
  1. Add exceptions.
    You can change the action that IPS takes on any files from
    to reduce the number of false positives.
    To add exceptions
    1. Enable a log-only mode for browser intrusion prevention signatures to record what traffic it blocks without affecting the client user.
    2. Use the Network and Host Exploit Mitigation attack logs in Symantec Endpoint Protection Manager to create exceptions in the Intrusion Prevention policy to ignore specific browser signatures.
    3. Disable log-only mode.
    For more information, see:
  2. Create custom IPS signatures.
    Custom IPS signatures are only available in Symantec Endpoint Protection. They will be available in Symantec Endpoint Security soon.
  3. Exclude specific computers based on their IP addresses so that the IPS engine does not scan them.
    For example, you might exclude computers to allow an Internet service provider to scan the ports in your network to ensure compliance with their service agreements. Or, you might have some computers in your internal network that you want to set up for testing.
    Endpoint Protection excluded hosts settings:
    More information
    Endpoint Security host exclusion settings (in the Allow List):
    More information
  4. If you think that URL reputation triggers a known good URL, submit the URL to the Symantec security team.
    Follow the steps in the following Support article:
    Endpoint Protection exceptions settings:
    Endpoint Security exceptions settings: