Skip to content

Deal with IPS alerts

Intrusion Prevention System (IPS) monitors network traffic and responds to detected threats.

This prevents an attacker from using an exploit to take over a local device. We monitor inbound and outbound traffic.

You can exclude specific applications or network traffic from inspection. For example, you may want to allow specifc protocols (such as HTTP) or prevent a false IPS alert for an application.

To do this, do as follows:

  • Exclude a file or folder on a device. This excludes an application from outbound IPS inspections.
  • Exclude network traffic using a Malicious Network Traffic Prevention (IPS) (Windows) exclusion.

For more help on exclusions, see Global Exclusions.

Exclude an application on a local device

To exclude an application from IPS alerts (outbound detections), do as follows:

  1. Go to Global Settings > Global Exclusions.
  2. Click Add Exclusion.

    The Add Exclusion dialog is displayed.

  3. In Exclusion Type, select File or folder (Windows).

  4. In Value, enter the path to the executable or folder that you want to exclude.
  5. In Active for, specify that the exclusion should be valid for real-time scanning.
  6. Click Add.

For more help, see Stop detecting an application.

Exclude network traffic

Note

These exclusions mean that IPS doesn't monitor traffic that matches the exclusion. You need to configure your firewall separately.

To exclude network traffic, do as follows:

  1. Go to Global Settings > Global Exclusions.
  2. Click Add Exclusion.

    The Add Exclusion dialog is displayed.

  3. In Exclusion Type, select Malicious Network Traffic Prevention (IPS) (Windows).

  4. Use the following settings to specify which traffic to exclude:

    • Direction: Inbound or outbound connections.
    • Remote address: The address of another computer that traffic goes to or from.
    • Remote port: The port that traffic goes to or from on other computers.
    • Local port: The port that traffic goes to or from on the local computer. You must set at least one of the address or port options.
  5. Click Add.

Most TCP connections have a random port number as their origin port. We recommend that you use a local port and add specific protocols (such as RDP (3389) or HTTP (80) traffic) to your allow list.

For example, to allow RDP connections from the administrator’s computer of 10.10.10.15 to other computers, use the following settings:

  • Direction: Inbound Connection
  • Local port: 3389
  • Remote port: leave blank
  • Remote address: 10.10.10.15
Back to top