How does the Browser Intrusion Prevention System (IPS) feature of Symantec Endpoint Protection (SEP) and Symantec Endpoint Security (SES) function?

Browser Intrusion Prevention System (Browser IPS) is an advanced protection feature included with the SEP and SES clients. This technology works in conjunction with, but is separate from, the Client Intrusion Detection System (CIDS) used by the client firewall-based IPS engine in the client.

Browser IPS intercepts VBScript, JavaScript and ActiveX calls running in the browser as they are executed, inspecting the parameters of these calls for exploits of vulnerabilities. This allows the Browser IPS engine to detect exploit code which would otherwise have been hidden or obfuscated from other detection methods, including the CIDS engine.

Browser IPS utilizes a browser extension to provide this protection. For more information on supported browser versions, see Supported Browser versions for Browser Intrusion Prevention.

How to enable or disable Browser IPS

Browser IPS can be disabled or enabled through the client UI, through the client IPS policy on the Symantec Endpoint Protection Manager (SEPM), or through the SES cloud console .

From the local client:

1. Open the SEP client interface
2. Select the Change Settings tab
3. Click the Configure Settings button in the Network and Host Exploit Mitigation section
4. Select the Intrusion Prevention tab on the Network and Host Exploit Mitigation Settings window
5. Select or deselect the Enable Browser Intrusion Prevention check box to enable/disable Browser IPS

On the SEPM:

1.  Log in to the SEPM Console
2. Select the Policies tab
3. Select Intrusion Prevention in the Policies pane
4. Ensure the Intrusion Prevention Policies tab is selected
5. Open or create an Intrusion Prevention policy for editing
6. Select the Settings tab in the policy editor window
7. Select or deselect the Enable Browser Intrusion Prevention check box to enable/disable Browser IPS
8. Click the OK button to save the changes to the policy

On the SES cloud console:

1. Log into the SES Console
2. Select the Policies tab
3. Open the Intrusion Prevention Policy to be edited
4. Under Advanced Settings, toggle Browser Protection to enable/disable Browser IPS
5. Click Save to save the changes to the policy
   
   

Please note that disabling the Browser Intrusion Prevention by policy in this manner does not actually disable the extension within the the browser.  Instead the add-on enters a passthrough mode in which it performs no filtering.

Browser IPS detection flow

The following is an example of how Browser IPS can help prevent browser-based threats that would have otherwise gone undetected:

1. A user browses to a Web site hosting malicious scripts
   • The malicious code is obfuscated, requiring execution of the script before the code is readable
2. The browser starts executing the JavaScript embedded on the page while rendering the web page
3. All of the obfuscation code is executed, removing the obfuscation
4. The Browser IDS engine intercepts the code before it can execute and determines the code exploits a vulnerability
5. The SEP client takes the following actions:
   1. Blocks the attack
   2. Displays a browser attack notification
   3. Writes a log entry for the browser attack in the SEP Security log