Home > Antivirus, Security > The Importance of IPS module of the Symantec Endpoint

The Importance of IPS module of the Symantec Endpoint

Recently I was able to appreciate the importance of the IPS (Intrusion Prevention System) module of Symantec Endpoint Protection (SEP). In the past I have to take care of removing the worm Conficker from several corporate LAN. The main problem that I faced, was the identification of infected workstations. Many of my efforts, could be avoided if I had used the IPS module of the SEP.

I installed the IPS module on a workstation subject to attack by Conficker, the IPS module immediately reported the attack, pointing out the IP address of the attacker and the threat that was trying to exploit: MSRPC Server Service BO detected.

Going to read the web MSRPC Server Service BO in the Symantec web site, I noticed at the bottom of the page, a reference to the Microsoft Security Bulletin MS08-067, the security bulletin on the vulnerability exploited by Conficker. I then took note of the IP address of attackers and using the nmap command I could verify that indeed the workstations that were attacking my computer, had the Conficker worm. I confess that I felt euphoric, for the first time I saw a viral attack stopped and identified. The best!

MSRPC Server Service BO

I believe that every system administrator should seriously consider to install an IPS module on every workstations. Of course, before to deploy massively an IPS module on all workstations of a company, you should always perform an analysis. Nevertheless, I believe that although there is a risk of creating some minor discomfort to personnel  of a company, the gain in security is far more profitable.

Categories: Antivirus, Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: