IPS False positives caused by Vuln scanner

I need a solution

Is there a way to whitelist or suppress alarms for “Network and Host Exploit Mitigation and Compliance Events” based on the source AND destination IP address. We have whitelisted our Vulnerability scanner IP addresses in SEPM, however there are some servers running JAVA services that “reflect” the request to thier loopback IP address. When the scan occurs, we receive alerts where the scan appears to originate from the scanned IP and is destined to the loopback “”. 

We could suppress the alarms by whitlisting the specific IP addresses, however if they become compromised and start attacking other hosts we will not see it. If we could whitelist the specific source and destination pair, the specific activity would be omitted without blinding us to everything that originate from that host. 



Leave a Reply