Some Symantec Endpoint Protection for Macintosh (SEP for Mac) IPS detections occur despite host exceptions, and there are no exception signatures for the detected IDs. Macintosh IPS exceptions cannot be defined for the detection because the signature ID is not listed in the SEPM IPS Exceptions dialog. Detected attacks will result in an automatic 10-minute block of the attacker's IP address. In the Windows SEP product this auto-block can be turned off or the duration changed but as of yet the SEP Macintosh auto-block feature is not configurable.
Example pop-up on SEP Macintosh client for "brute force remote logon":
Details of example event in SEPM Logs: Network Threat Protection: Attacks:
Host exceptions by IP range do not work. IP exceptions defined as by single IP addresses may be used as a work-around. This issue is fixed in Symantec Endpoint Protection 12.1 RU6.
"Brute force remote login" in particular (signature ID 99995) is absent from the SEPM exception list by design. Brute force attack is detected by monitoring system log on client, and it is a detection only---no traffic is blocked.