Managing intrusion prevention in Symantec Endpoint Security

Protect your endpoints against ransomware and malware with intrusion prevention -- sometimes called the Intrusion Prevention System (IPS).

What is intrusion prevention and what does it do?

Intrusion prevention is the first layer of defense against malware after the firewall on Windows and Mac clients.
  • Intrusion prevention blocks over 70% of attacks before they break into your organization’s network. Even after malware breaks into your organization, IPS detects malware in the infestation and exfiltration phase. During this phase, IPS blocks threats as they travel through the network.
  • IPS detects ransomware attacks by using the URL reputation, which prevents web threats.
  • IPS is a one-of-a-kind protection that no other security company uses.
IPS blocks malware at the network layer before the payload arrives on the endpoint, as it scans both inbound and outbound network traffic. IPS is able to:
  • Recognize and understand various network protocols and provide custom protection for each type.
  • Use pattern matching to identify unknown and known threats.
  • Block command-and-control (C&C) communications to known malicious URLs and IP addresses using Symantec’s Insight Intelligence.
On
Endpoint Security
, IPS uses over 400 of audit signatures. Audit signatures are signatures that do not have a default action.
Symantec recommends that you install the client software on servers as well as desktop computers. In addition, Symantec recommends that you move server endpoints to the same group.

Step 1: Enable intrusion prevention

IPS is enabled by default so that your computers are always protected.
Symantec recommends that you always keep IPS enabled.
The following IPS capabilities are also enabled by default:
Capability
Description
Network Intrusion Prevention
Network IPS signatures protect against network attacks.
URL reputation
URL reputation detections identify threats from domains and URLs, which can host malicious content like malware, fraud, phishing, and spam, etc.
URL reputation blocks access to web addresses that are identified as known sources of malicious content. The information from visited URLs is sent to Symantec to retrieve a reputation rating.
For servers that have the client software installed on them, enable the following settings in the
Intrusion Prevention
policy:
Out-of-band scanning
Applies multi-threaded scans to improve performance.
Use signature subset for servers
Applies signatures that prevent the most commonly known threats on servers.
Server performance tuning settings:
For more information about tuning settings, see:

Step 2: Block ransomware by using URL reputation (14.3 RU2 and later)

IPS is the best defense against drive-by downloads, which occur when software is unintentionally downloaded from the Internet. Attackers often use exploit kits to deliver a web-based attack like CryptoLocker through a drive-by download.
In some cases, IPS can block file encryption by interrupting command-and-control (C&C) communication. A C&C server is a computer that an attacker or cybercriminal controls to send commands to systems compromised by malware in order to receive stolen data from a target network.
For 14.3 RU2 and later clients, URL reputation blocks these drive-by downloads, as long as URL reputation is enabled.
URL reputation settings:
For more information about URL reputation settings, see:

Step 3: (Optional) Configure a custom notification for client users when IPS detects suspicious activities

When IPS detects suspicious activity on the client, it sends a notification to client users. You can keep the default notification text or replace it with a custom message.
Notification settings:

Step 4: (Optional) Run a report on IPS detections

To gain better visibility into IPS detections and the network security posture of your organization, run the
Intrusion Prevention
report.
Report settings:

Troubleshooting IPS issues

The IPS signatures detect threats that may or may not be malware. If you think that the signature is not associated with potentially malicious activity in your environment and is a false positive, you can create an exception to prevent IPS from using that signature.
To mitigate a false positive, do one of the following tasks:
  1. Add exceptions.
    You can change the action that IPS takes on any files from
    Block
    to
    Allow
    to reduce the number of false positives.
    To add exceptions
    1. Enable a log-only mode for browser intrusion prevention signatures to record what traffic it blocks without affecting the client user.
    2. Use the Network and Host Exploit Mitigation attack logs in Symantec Endpoint Protection Manager to create exceptions in the Intrusion Prevention policy to ignore specific browser signatures.
    3. Disable log-only mode.
    For more information, see:
  2. Exclude specific computers based on their IP addresses so that the IPS engine does not scan them.
    For example, you might exclude computers to allow an Internet service provider to scan the ports in your network to ensure compliance with their service agreements. Or, you might have some computers in your internal network that you want to set up for testing.
    Host exclusion settings (in the Allow List):
    For more information about host exclusion settings, see:
  3. If you think that URL reputation triggers a known good URL, submit the URL to the Symantec security team.
    Follow the steps in the following Support article:
    Signature Action Exceptions settings: