How intrusion prevention works

Intrusion prevention automatically detects and blocks network attacks. On Windows computers, intrusion prevention also detects and blocks browser attacks on supported browsers. Intrusion prevention is the second layer of defense after the firewall to protect client computers. Intrusion prevention is sometimes called the intrusion prevention system (IPS).
Intrusion prevention intercepts data at the network layer. It uses signatures to scan packets or streams of packets. It scans each packet individually by looking for the patterns that correspond to network attacks or browser attacks. Intrusion prevention detects attacks on operating system components and the application layer.
Types of intrusion prevention
Network intrusion prevention
Network intrusion prevention uses signatures to identify attacks on client computers. For known attacks, intrusion prevention automatically discards the packets that match the signatures.
You can also create your own custom network signatures in
Symantec Endpoint Protection Manager
. You cannot create custom signatures on the client directly; however, you can import custom signatures on the client. Custom signatures are supported on Windows computers only. See:
Browser intrusion prevention (Windows only)
Browser intrusion prevention monitors attacks on Internet Explorer and Firefox. Browser intrusion prevention is not supported on any other browsers.
Firefox might disable the Symantec Endpoint Protection plug-in, but you can turn it back on.
This type of intrusion prevention uses attack signatures as well as heuristics to identify attacks on browsers.
For some browser attacks, intrusion prevention requires that the client terminate the browser. A notification appears on the client computer.
For the latest information about the browsers that browser intrusion prevention protects, see:
More information