Quantcast
Channel: Symantec Connect - Endpoint Protection - Discussions
Viewing all articles
Browse latest Browse all 10484

SEP IPS blocking outbound traffic from vulnerability scanner

$
0
0
I need a solution

We are running SEP 12.1.4013.4013 on management servers and all clients.  I have been experiencing problems getting a vulnerability scanner (Nessus) to run on a server with a SEP IPS policy applied, even though I have added the scanner IP to the "excluded hosts" list.

I have seen a similar issue reported in thid article (https://www-secure.symantec.com/connect/forums/ips-blocking-traffic-internal-vulnerability-check-server) and read the associated documentation (http://www.symantec.com/docs/HOWTO81159).  I have also read the Installation and Administration Guide PDF included with the SEP software.  The documentation clearly states: "The client allows all inbound traffic and outbound traffic from these hosts, regardless of the firewall rules and settings or IPS signatures." (emphasis added)

I have followed the steps in HOWTO81159 to setup the vulnerability scanner IP as an excluded host, but the IPS signatures still block the outbound traffic.  The location-specific settings are set to "server control" and I have verified the SEP policy version has had enough time to sync with the client.  But it's not until I totally remove the IPS policy from the group that the scanner is in, that the scanner works successfully.

Has anyone else been able to successfully exclude a host IP (especially a Nessus scanner) from an IPS policy and actually prove that it works?

Many thanks!
Scott

PS. I currently have an open ticket with Symantec Support on this issue (who have so far said that I can't exclude a host from the IPS rules - contrary to the documentation and HOWTO article above?!?), so I'm seeking practical experience from the community.


Viewing all articles
Browse latest Browse all 10484

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>