If your environment is having Symantec ATP 3.x version and Symantec Endpoint Manager (SEPM 14), then you would probably face this situation before where ATP detected intrusion prevention.
So this blog would be about an attack which ATP detected as an intrusion and indeed ATP did block it instantly. The attack is unexpected overwrite of the SEPM file. However, there could some endpoints faced that their SEPM is disabled unexpectedly.
Hence, you may receive 5% of endpoints faced this attack. Yea, funny right? and another thing is that these endpoints are probably those turn on once awhile or not within the premises/environment often. Yes, you may guess it!
It was SEPM update. What causes the SEPM to disabled unexpectedly is failed IPS update and also possible the workstation didn’t get restarted often or properly.
You could run SymDiag on the endpoint device to get more details about the problem that the endpoint is facing, then you could find a resolution for this problem. Just reinstall the SEPM and run a scan and run SymDiag to make sure is working well.
Sabrina Kay's Blog 