The Importance of IPS module of the Symantec Endpoint
Recently I was able to appreciate the importance of the IPS (Intrusion Prevention System) module of Symantec Endpoint Protection (SEP). In the past I have to take care of removing the worm Conficker from several corporate LAN. The main problem that I faced, was the identification of infected workstations. Many of my efforts, could be avoided if I had used the IPS module of the SEP.
I installed the IPS module on a workstation subject to attack by Conficker, the IPS module immediately reported the attack, pointing out the IP address of the attacker and the threat that was trying to exploit: MSRPC Server Service BO detected.
Going to read the web MSRPC Server Service BO in the Symantec web site, I noticed at the bottom of the page, a reference to the Microsoft Security Bulletin MS08-067, the security bulletin on the vulnerability exploited by Conficker. I then took note of the IP address of attackers and using the nmap command I could verify that indeed the workstations that were attacking my computer, had the Conficker worm. I confess that I felt euphoric, for the first time I saw a viral attack stopped and identified. The best!
I believe that every system administrator should seriously consider to install an IPS module on every workstations. Of course, before to deploy massively an IPS module on all workstations of a company, you should always perform an analysis. Nevertheless, I believe that although there is a risk of creating some minor discomfort to personnel of a company, the gain in security is far more profitable.