• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2622
  • Last Modified:

Symantec Endpoint IP Whitelisting

We use Symantec Endpoint Protection v11.

We are attempting to perform employee Phishing testing via Core Impact as follows:
1. Test Phishing emails are initiated from Core Impact, to select employees.
2. Once an employee clicks an embedded hyperlink (which resolves to "http://<Core Impact Device's IP Address/..."), they are redirected back through the Core Impact device (all behind the firewall) to a designated URL (e.g. www.Google.com or an Intranet page).  
3. Core impact notes which employee(s) click the link.

The issue I'm seeing is that, in doing its job, Symantec is blocking step #2 at the clients.

We've found that, by temporarily disabling "Network Threat Protection" on a client workstation, everything works correctly

How can I create an exclusion (or whitelist) to state that access to "http://<Core Impact Device's IP Address/...") is allowed?

Thank you
0
TTCTECH
Asked:
TTCTECH
  • 3
  • 3
1 Solution
 
Sudeep SharmaTechnical DesignerCommented:
You could exclude the IP or host from IPS on Symantec Endpoint Protection, check below link:

http://www.symantec.com/connect/de/forums/dhcp-server-notworing-after-installing-sep-client-1106

I hope that would help.

Sudeep
0
 
TTCTECHAuthor Commented:
Hi Sudeep.

I realize that the settings can be changed at the client, but we have over 700 clients (I need to be able to chnge this globally, via the Admin console).

Thanks
0
 
jmlambCommented:
You can exclude the IP of the Core Impact device in the Intrusion Prevention policy. If you have an existing policy applied to a group where your clients are, open it and click on Settings. Check Enable excluded hosts then click the Excluded Hosts button. You'll be able to add the IP there.

If you don't already have an Intrusion Prevention policy, create one and assign it to the group of the target clients.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
jmlambCommented:
Forgot to ask... can you re-zone your question to 'Symantec Anti-Virus Software' please so it can be categorized properly? Thanks
0
 
TTCTECHAuthor Commented:
I beileve we already have that setting in place (see screenshot) but it was still blocking the URL.
SEP-Settings.gif
0
 
jmlambCommented:
Confirm that the policy is applied to the group where the impacted clients are. If that's ok, open the Security Log on one of the clients and look for the event that corresponds to the block. There should be an associated SID for the event. We can do next steps after that.
0
 
TTCTECHAuthor Commented:
There is evidently a period of time (after the exception is added to the policy) before the policy actually works (is applied).
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now