Responding to suspected IPS false positives in Endpoint Protection
Last Updated June 04, 2018
The Intrusion Prevention System (IPS) of a Symantec Endpoint Protection (SEP) client if being triggered by traffic to a website that is believed to be safe, or unusual, unexpected IPS events are being seen from a SEP client.
Do not assume that unexpected events are False Positives! Legitimate websites and public-facing internal webservers may have been compromised by an attacker to serve malware, or malicious advertisements on those pages (maladvertizements) may be attempting to redirect visitors to a site hosting a drive-by download for vulnerable browsers. Also, malware that is not yet caught by SEP’s AntiVirus component may be silently active on a computer, with the IPS events that block its malicious traffic a “red flag” that an infection is present. Consider all IPS events carefully and perform a Threat Analysis Scan on any computer which is triggering a “System Infected” IPS event.
If the IPS event is believed to be a False Positive (FP), please follow these steps:
Ensure that the SEP client has the latest available IPS definitions in place. Run LiveUpdate or compare the “Network Threat Protection” definition date on the client matches the latest available listed on Security Updates.
Note if the intrusion is inbound or outbound, note the source and destination IP address (or domain), and note the exact IPS event number and name. (These details must be provided when reporting the suspected False Positive.)
If the IPS event occurs when simply accessing a public website, copy the exact URL and details necessary to reproduce the issue.
Provide the URL and details (from 3, above) or the .pcap (packet capture) to Symantec's False Positive Submission Site. Be sure to specify that this is an IPS (“Network Intrusion Detection”) detection rather than a suspected False Positive on a file.
While the reported FP is being investigated, it is possible for administrators to temporarily disable the signature if they are extremely confident that this is a False Positive and the IPS event is disrupting crucial business processes. Apply exclusions with great caution.