Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Symantec Endpoint IP Whitelisting

Posted on 2010-09-21
7
Medium Priority
?
2,591 Views
Last Modified: 2013-12-09
We use Symantec Endpoint Protection v11.

We are attempting to perform employee Phishing testing via Core Impact as follows:
1. Test Phishing emails are initiated from Core Impact, to select employees.
2. Once an employee clicks an embedded hyperlink (which resolves to "http://<Core Impact Device's IP Address/..."), they are redirected back through the Core Impact device (all behind the firewall) to a designated URL (e.g. www.Google.com or an Intranet page).  
3. Core impact notes which employee(s) click the link.

The issue I'm seeing is that, in doing its job, Symantec is blocking step #2 at the clients.

We've found that, by temporarily disabling "Network Threat Protection" on a client workstation, everything works correctly

How can I create an exclusion (or whitelist) to state that access to "http://<Core Impact Device's IP Address/...") is allowed?

Thank you
0
Comment
Question by:TTCTECH
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 33730049
You could exclude the IP or host from IPS on Symantec Endpoint Protection, check below link:

http://www.symantec.com/connect/de/forums/dhcp-server-notworing-after-installing-sep-client-1106

I hope that would help.

Sudeep
0
 
LVL 3

Author Comment

by:TTCTECH
ID: 33733423
Hi Sudeep.

I realize that the settings can be changed at the client, but we have over 700 clients (I need to be able to chnge this globally, via the Admin console).

Thanks
0
 
LVL 12

Accepted Solution

by:
jmlamb earned 2000 total points
ID: 33737188
You can exclude the IP of the Core Impact device in the Intrusion Prevention policy. If you have an existing policy applied to a group where your clients are, open it and click on Settings. Check Enable excluded hosts then click the Excluded Hosts button. You'll be able to add the IP there.

If you don't already have an Intrusion Prevention policy, create one and assign it to the group of the target clients.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 12

Expert Comment

by:jmlamb
ID: 33737203
Forgot to ask... can you re-zone your question to 'Symantec Anti-Virus Software' please so it can be categorized properly? Thanks
0
 
LVL 3

Author Comment

by:TTCTECH
ID: 33737774
I beileve we already have that setting in place (see screenshot) but it was still blocking the URL.
SEP-Settings.gif
0
 
LVL 12

Expert Comment

by:jmlamb
ID: 33739903
Confirm that the policy is applied to the group where the impacted clients are. If that's ok, open the Security Log on one of the clients and look for the event that corresponds to the block. There should be an associated SID for the event. We can do next steps after that.
0
 
LVL 3

Author Closing Comment

by:TTCTECH
ID: 33743823
There is evidently a period of time (after the exception is added to the policy) before the policy actually works (is applied).
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question