SEP (Symantec Endpoint Protection) Mac users receive "Vulnerability BLOCKED" popups for ARP traffic, with "ARP Cache Poison" in SEP Vulnerability log details. But anti-MAC spoofing setting is disabled in the Mac Firewall policy settings at SEPM (SEP Manager).
SEP for Mac versions 14.2.x
"Vulnerability BLOCKED" popups on desktop.
"ARP Cache Poison" in SEP Vulnerability log details.
This is caused by remnants of Mac IPS (Intrusion Protection) policy settings from an older SEPM that has been upgraded to 14.2.x, along with the clients. That version of SEP for Mac should not alert users or log ARP traffic; it is handled silently as long as IPS is enabled. The "anti-MAC spoofing" checkbox in Mac firewall policy settings has no effect.
Re-create the IPS policy fresh at the SEPM so that the old Mac policy settings will not be present.
Subscribing will provide email updates when this Article is updated. Login is required.