How does the Browser Intrusion Prevention System (IPS) feature of Symantec Endpoint Protection (SEP) and Symantec Endpoint Security (SES) function?
Browser Intrusion Prevention System (Browser IPS) is an advanced protection feature included with the SEP and SES clients. This technology works in conjunction with, but is separate from, the Client Intrusion Detection System (CIDS) used by the client firewall-based IPS engine in the client.
Browser IPS intercepts VBScript, JavaScript and ActiveX calls running in the browser as they are executed, inspecting the parameters of these calls for exploits of vulnerabilities. This allows the Browser IPS engine to detect exploit code which would otherwise have been hidden or obfuscated from other detection methods, including the CIDS engine.
Browser IPS utilizes a browser extension to provide this protection. For more information on supported browser versions, see Supported Browser versions for Browser Intrusion Prevention.
How to enable or disable Browser IPS
Browser IPS can be disabled or enabled through the client UI, through the client IPS policy on the Symantec Endpoint Protection Manager (SEPM), or through the SES cloud console .
From the local client:
On the SEPM:
On the SES cloud console:
Please note that disabling the Browser Intrusion Prevention by policy in this manner does not actually disable the extension within the the browser. Instead the add-on enters a passthrough mode in which it performs no filtering.
Browser IPS detection flow
The following is an example of how Browser IPS can help prevent browser-based threats that would have otherwise gone undetected: