We are running SEP 12.1.4013.4013 on management servers and all clients. I have been experiencing problems getting a vulnerability scanner (Nessus) to run on a server with a SEP IPS policy applied, even though I have added the scanner IP to the "excluded hosts" list.
I have seen a similar issue reported in thid article (https://www-secure.symantec.com/connect/forums/ips-blocking-traffic-internal-vulnerability-check-server) and read the associated documentation (http://www.symantec.com/docs/HOWTO81159). I have also read the Installation and Administration Guide PDF included with the SEP software. The documentation clearly states: "The client allows all inbound traffic and outbound traffic from these hosts, regardless of the firewall rules and settings or IPS signatures." (emphasis added)
I have followed the steps in HOWTO81159 to setup the vulnerability scanner IP as an excluded host, but the IPS signatures still block the outbound traffic. The location-specific settings are set to "server control" and I have verified the SEP policy version has had enough time to sync with the client. But it's not until I totally remove the IPS policy from the group that the scanner is in, that the scanner works successfully.
Has anyone else been able to successfully exclude a host IP (especially a Nessus scanner) from an IPS policy and actually prove that it works?
Many thanks!
Scott
PS. I currently have an open ticket with Symantec Support on this issue (who have so far said that I can't exclude a host from the IPS rules - contrary to the documentation and HOWTO article above?!?), so I'm seeking practical experience from the community.
