We are currently observing an issue were qualys is getting blocked by ENS exploit prevention rule (Rule ID 3700 (TCP port scan).
We created an exclusion for the Qualys scanner in Exploit prevention policy. Endpoint Security Threat Prevention : Policy Category > Exploit Prevention >
However, we are still receiving network intrusion prevention systems events as per below threat details
Threat Name: ExP:NIPS Violation
Threat Type: Network Intrusion Prevention System
Action Taken: Blocked
Threat Handled: True
Analyzer Detection Method: Exploit Prevention
Analyzer Rule ID: 3700
Analyzer Rule Name: TCP Port Scan
First Action Status: Not available
Second Action Status: Not available
Description: ExP:NIPS Violation Blocked a Network exploit attempt.
Attack Vector Type: Network
Do you have a solution regarding why the exclusion is not working as expected?
Solved! Go to Solution.
Hi @Olu Per your screenshot, did you specify the Signature number and remote IP address of your Qualys scanner (verify it's the same IP address from the ENS event) as the exclusion? Your screenshot is blank, so I assume you just posted which type of exclusion rule is used.
If so, verify that same exclusion exists on the ENS client side as well to rule out any policy enforcement issues. If you don't see the exclusion on the client side, then you're likely having a different problem, as that is the correct NIPS exclusion rule to use for Signature 3700 (or 3701) events.