Managing intrusion prevention

The default intrusion prevention settings protect client computers against a wide variety of threats. You can change the default settings for your network.
If you run
Symantec Endpoint Protection
on servers, intrusion prevention might affect server resources or response time. For more information, see:
The Linux client does not support intrusion prevention.
Managing intrusion prevention
Learn about intrusion prevention
Learn how intrusion prevention detects and blocks network and browser attacks. See:
Enable intrusion prevention
To keep your client computers secure, you should keep intrusion prevention enabled:
  • Network intrusion prevention
  • Browser intrusion prevention (Windows computers only)
    You can also configure browser intrusion prevention to only log detections, but not block them. You should use this configuration on a temporary basis as it lowers the client's security profile. For example, you would configure log-only mode only while you troubleshoot blocked traffic on the client. After you review the attack log to identify and exclude the signatures that block traffic, you disable log-only mode.
For more information, see:
You can also enable both types of intrusion prevention, as well as the firewall, when you run the
Enable Network Threat Protection
command on a group or client. See:
Create exceptions to change the default behavior of Symantec network intrusion prevention signatures
You might want to create exceptions to change the default behavior of the default Symantec network intrusion prevention signatures. Some signatures block the traffic by default and other signatures allow the traffic by default.
You cannot change the behavior of browser intrusion prevention signatures.
You might want to change the default behavior of some network signatures for the following reasons:
  • Reduce consumption on your client computers.
    For example, you might want to reduce the number of signatures that block traffic. Make sure, however, that an attack signature poses no threat before you exclude it from blocking.
  • Allow some network signatures that Symantec blocks by default.
    For example, you might want to create exceptions to reduce false positives when benign network activity matches an attack signature. If you know the network activity is safe, you can create an exception.
  • Block some signatures that Symantec allows.
    For example, Symantec includes signatures for peer-to-peer applications and allows the traffic by default. You can create exceptions to block the traffic instead.
  • Use audit signatures to monitor certain types of traffic (Windows only)
    Audit signatures have a default action of
    Not log
    for certain traffic types, such as traffic from instant message applications. You can create an exception to log the traffic so that you can view the logs and monitor this traffic in your network. You can then use the exception to block the traffic, create a firewall rule to block the traffic, or leave the traffic alone.
    You can also create an application rule for the traffic.
For more information, see:
You can use application control to prevent users from running peer-to-peer applications on their computers. See:
If you want to block the ports that send and receive peer-to-peer traffic, use a Firewall policy. See:
Create exceptions to ignore browser signatures on client computers
(Windows only)
You can create exceptions to exclude browser signatures from browser intrusion prevention on Windows computers.
You might want to ignore browser signatures if browser intrusion prevention causes problems with browsers in your network. See:
Exclude specific computers from network intrusion prevention scans
You might want to exclude certain computers from network intrusion prevention. For example, some computers in your internal network may be set up for testing purposes. You might want
Symantec Endpoint Protection
to ignore the traffic that goes to and from those computers.
When you exclude computers, you also exclude them from the denial of service protection and port scan protection that the firewall provides. See:
Configure intrusion prevention notifications
By default, messages appear on client computers for intrusion attempts. You can customize the message. See:
Create custom intrusion prevention signatures (Windows only)
You can write your own intrusion prevention signature to identify a specific threat. When you write your own signature, you can reduce the possibility that the signature causes a false positive.
For example, you might want to use custom intrusion prevention signatures to block and log websites. See:
You must have the firewall installed and enabled to use custom IPS signatures. See:
Monitor intrusion prevention
Regularly check that intrusion prevention is enabled on the client computers in your network. See: