Protect your endpoints against ransomware and malware with the Intrusion Prevention System (IPS). IPS is the first layer of defense against malware after the firewall on Windows and Mac clients.
What is intrusion prevention and what does it do? Intrusion Prevention:Blocks over 70% of attacks before they break into your organization’s network. Even after malware breaks into your organization, IPS detects malware in the infestation and exfiltration phase. During this phase, IPS blocks threats as they travel through the network.
Detects ransomware attacks by using the URL reputation, which prevents web threats. Is a one-of-a-kind protection that no other security company uses.IPS blocks malware at the network layer before the payload arrives on the endpoint, as it scans both inbound and outbound network traffic. IPS is able to:
Recognize and understand various network protocols and provide custom protection for each type. Use pattern matching to identify unknown and known threats.Block command-and-control (C&C) communications to known malicious URLs and IP addresses using Symantec’s Insight Intelligence.
On Endpoint Security, IPS uses over 400 of audit signatures. Audit signatures are signatures that do not have a default action.
Symantec recommends that you install the client software on servers as well as desktop computers. In addition, Symantec recommends that you move server endpoints to the same group.
For more information about signatures, see: Step 1: Enable intrusion prevention IPS is enabled by default so that your computers are always protected. Symantec recommends that you always keep IPS enabled. The following IPS capabilities are also enabled by default: Capability Description Browser protection (Browser Intrusion Prevention for Windows)IPS web browser signatures allow and block inbound and outbound browser traffic. The Google Chrome browser extension (14.3 RU2 and later) and Microsoft InTune extension (14.3 RU8 and later) are installed by default.
Network Intrusion Prevention Network IPS signatures protect against network attacks. URL reputationURL reputation detections identify threats from domains and URLs, which can host malicious content like malware, fraud, phishing, and spam, etc.
URL reputation blocks access to web addresses that are identified as known sources of malicious content. The information from visited URLs is sent to Symantec to retrieve a reputation rating.
A URL is believed to be incorrectly detected by the Endpoint Security/Endpoint Protection URL Reputation feature resulting in a False Positive.
If the client incorrectly detected a URL as hosting malicious content, submit the URL as a false postiive. See:
For servers that have the client software installed on them, enable the following settings in the Intrusion Prevention Out-of-band scanning Applies multi-threaded scans to improve performance. Use signature subset for servers Applies signatures that prevent the most commonly known threats on servers. Endpoint Protection performance tuning settings:
IPS is the best defense against drive-by downloads, which occur when software is unintentionally downloaded from the Internet. Attackers often use exploit kits to deliver a web-based attack like CryptoLocker through a drive-by download.
In some cases, IPS can block file encryption by interrupting command-and-control (C&C) communication. A C&C server is a computer that an attacker or cybercriminal controls to send commands to systems compromised by malware in order to receive stolen data from a target network.
For 14.3 RU2 and later clients, URL reputation blocks these drive-by downloads, as long as URL reputation is enabled.
