A group of Symantec Endpoint Protection clients are detecting traffic that is known for absolute certain to be a False Positive (FP). You want to know how to add an exception in the Intrusion Prevention (IPS) Policy to allow traffic despite this specific Signature ID.
The SEP clients receive pop-ups and log entries similar to:
Symantec Endpoint Protection
Traffic from IP address x.x.x.x is blocked from [date][time] to [date][time]
The applied Intrusion Prevention Policy is blocking a specific ID and denying traffic from the specific IP address associated with it.
To create an exception for Intrusion Prevention Policy to allow a specific ID:
- Log in to the Symantec Endpoint Protection Manager (SEPM) console.
- Click Policies>Intrusion Prevention.
- Select the Intrusion Prevention policy you wish to update and click Edit the policy.
- Click Exceptions>Add and select the desired ID(s) from the exceptions list.
- Click Next>> and change the action from Block to Allow and click OK to save your changes.
- Confirm the exception is present in the Intrusion Prevention Exceptions list and click OK to save the policy.
- Ensure this policy is applied to the SEP client group which is affected.
Use the above procedure- and any other exclusions- with great caution. In the case of a suspected False Positive, the best approach is to submit to Security Response the network capture (.pcap file) of the traffic which is triggering the detection. Create a test SEP client group containing only one SEP client, and disable the IPS signature just for that client, just long enough to record a .pcap. Wait until confirmation has been received from the False Positive submission in order to safely take any next necessary action. For more information, please see Best Practice for Responding to Suspected IPS False Positives in Symantec Endpoint Protection.