Hi all, we have installed Server Sensors on our Windows boxes, with the options blocking and auditing enabled. Currently we are using one policy for all our servers. It's the default network attacks policy that ISS provides. As I can recall from the manuals blocking is by default diasbled when using default policies. (Just checked the Manual and there are only a few signatures that will block by default).
However, last wednesday I ran an XPU update to the Sensors and reapplied the policy. Since then the Sensor is blocking connections that contain suspicous exeutabled and filenames in email attachments. That was not what it was supposed to do, right? I checked the policy and it does say blocking, but as far as the manuals go, it should not have done this. The response rules are default, nobody has changed them just yet. What bothers me now, is the blocking. All the literature says it should not, so why does it, even though I use strict basic settings at this moment? Got me confused, but it also aids me in my quest to convince management that I need more time for IDS/IPS then I currently have. Especially when we start using Proventia's inline... Anyway, anyone any idea? TIA Richard _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
