Intrusion Prevention exceptions may not work in Endpoint Protection versions 12.1.x using CIDS 16.1.4
Last Updated November 13, 2017
Intrusion Prevention System (IPS) exceptions may not work correctly for some signatures on Symantec Endpoint Protection (SEP) clients versions 12.1.x which are using the CIDS engine version 16.1.4. For example: test systems that host vulnerability scanners may still generate "blocked and logged" events for outgoing traffic, even though the related intrusion signature exceptions have been configured to "allow and do not log".
This is due to the CIDS 16.1.4 engine looking for a "SiloId" registry value during some operations. This value is expected to be in the IPS driver's service registry under HKLM\SYSTEM\CurrentControlSet\services\IDSVia64\Parameters (on 64-bit systems) but is missing in SEP 12.1.x
The missing SiloId value should be present in SEP 14 and newer so those versions are unaffected.
This will be addressed otherwise in next version of the CIDS engine released through LiveUpdate.
In the short term, customers can add the missing SiloId value by copying it from the "silo" value under HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection (on 64-bit systems). A batch-scripted example of doing this would be as follows (also for 64-bit system). This is a suggestion only; please test any scripts before using them in production. Note the use of backticks in batch example, not single quotes.
for /f "usebackq tokens=2,* skip=2" %%L in (
`reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection" /v silo`
) do set SILO=%%M
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IDSVia64\Parameters" /v SiloId /t REG_SZ /d %SILO%
After setting SiloId, make a change to IPS exceptions policy so that SEP will update the driver settings and IPS signature exceptions should resume working as expected.
The registry paths for 32-bit systems are: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IDSVia86
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe