Intrusion prevention system (IPS): Your first line of defense against malware

What is IPS?

Intrusion Prevention System (IPS) is a proactive protection technology that provides security at the network level. It is the first line of defense against malware.

There is sometimes confusion between an IPS and a firewall. Personal firewalls are more basic, making allow/deny decisions to ensure that only “selected” programs are allowed to interact over the internet. Firewalls also block network communication on non-standard ports, which are generally not used by legitimate programs and services. On the other hand, an IPS goes one step further, and examines all network traffic that is allowed through the firewall.

We can demonstrate the difference between firewalls and IPS by using the real world example of airport security. Airline officials and security officers confirm the identity of people traveling. They only allow people with proper identification and tickets to pass the checkpoint and proceed towards the gates. On your PC, the personal firewall provides the same function – either allowing “unscreened” traffic or blocking it. Back at the airport, baggage screeners and X-Ray machines make sure that authorized travelers do not carry dangerous items to the gate or onto an airplane. Similarly, the IPS engine’s role in the Norton security suite is to carefully examine the traffic that the firewall has already allowed.

In the past, Intrusion Prevention Systems simply protected against operating system (OS) threats, or denial of service (DOS) and distributed denial of service (DDOS) attacks. These threats exploited vulnerabilities that were mostly in the OS network stack and services. Over the past few years, these OS components have become more robust. So has the threat decreased?

Why is the IPS engine in Norton products so important?

Each year, PC use becomes increasingly centered on online activity, and that means more reliance on web browsers and their plug-ins to interact with sites and services. This has created a golden opportunity for the “bad guys” to move their attacks from the OS to exploiting vulnerabilities in applications. Now they are more likely to target your web browser, document viewers, media players, etc.

With the state of website security across the globe being so poor, the “bad guys” have had an easy time compromising websites and waiting for users to visit. As a result, users are being served malware by visiting not just “dodgy” sites, but very legitimate sites. A recent report from Symantec’s MessageLabs, a leading SaaS email and web-security provider, showed that in March of 2009, 85% of malware detected was hosted by a site that had been operational for at least a year.

In some cases, users are getting infected after being lured into visiting “bad” sites through means of social engineering scams. Fake e-mail from friends, the bank, messages on social networking sites and “malvertisements” are all examples of how unsuspecting users can be driven to these dangerous compromised sites.

To combat these changing threats, the IPS Engine in Norton products has the smarts to protect the vulnerabilities that the bad guys target. In addition to scanning all network traffic, the IPS engine has specific browser protection for today’s most popular browsers.

Won’t I be safe with updated signatures alone?

Stopping a threat “in flight”, at the network level, is extremely effective because it blocks the threat before it ever lands on the system. It is much more expensive to clean a threat once it hits the disk or application memory. Core technologies like Antivirus engines (AV), only get a chance to clean these threats when they hit the disk. Sometimes clean removal or quarantine is difficult as these threats try to rapidly increase their footprint on the system by morphing or injecting into other legitimate processes. Some web applications stream data from external web servers and directly deliver it to users. In these cases, technologies like AV aren’t the right tool, which is why additional protection via IPS is so important.

How does the Norton IPS engine work?

Applications that interact over the Internet can have vulnerabilities. Generally, vendors release patches to address these vulnerabilities as they are discovered. Unfortunately, for various reasons, millions of users don’t run fully patched system, and when they download or stream a document, media file or simple HTML page on an un-patched system, they can be compromised. These exploits, when successful, can also cause (even more) malware to be downloaded, making the problem worse.

The Norton IPS engine patches holes in these vulnerable systems by scanning network traffic for patterns that exploit vulnerabilities. One IPS signature for a particular vulnerability can protect against many variants of exploits and so they are very scalable in their defense.

Norton users running IPS get definition updates with new signature content on a regular basis.

If I run a fully patched system, do I need IPS?

Yes. Vendors typically take anywhere from a few days to a few weeks to release patches for new vulnerabilities in their products. Not all products have an auto-update feature to download new patches as soon as they are available. In some cases, updating to a new patch/version causes incompatibility with other software on the system and prevents users from updating. Practically speaking, there is almost always a window of time when even the most advanced or savvy users are running a system without fully patched software.

The IPS engine from Norton can protect users during these “windows of opportunity” for the bad guys. Symantec’s Technology and Response team works 24/7 and can quickly release updates to Norton products to “virtually patch” critical vulnerabilities.

What is new for IPS in Norton 2010?

When updating the Norton 2009 family of products, the IPS engine was completely redesigned and we made tremendous improvements in performance and protection. Since the IPS engine has to monitor ALL network activity, it can be resource intensive. For the upcoming Norton 2010 products, we are continuing to make improvements based on the changing threat landscape while maintaining our parallel focus on performance:

- Browser protection has been beefed up to protect against a larger range of threats.
- The IPS engine now collaborates more with other protection technologies in the Norton products which means that we are now more effective in neutralizing threats based on IPS detections, as compared to just blocking their network activity.


When it comes to providing the best protection possible, you can’t rely on a single technology because there isn’t a single threat. Norton’s Intrusion Prevention System is a critical component that is able to detect and block malicious attacks before they ever reach the hard drive or memory of your PC.

Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Norton by Symantec is now Norton LifeLock. LifeLock™ identity theft protection is not available in all countries.

Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec logo, the Checkmark logo, Norton, Norton by Symantec, LifeLock and the LockMan logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the United States and other countries. App Store is a service mark of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution Licence. Other names may be trademarks of their respective owners.