The Symantec IPS signatures use a stream-based engine that scans multiple packets. Symantec IPS signatures intercept network data at the session layer and capture segments of the messages that are passed back and forth between an application and the network stack.
The intrusion prevention system (IPS) is the Symantec Endpoint Protection client's second layer of defense after the firewall. The IPS is a network-based system that operates on every computer on which the client is installed and the intrusion prevention system is enabled. If a known attack is detected, one or more intrusion prevention technologies can automatically block it.
The intrusion prevention system scans each packet that enters and exits computers in the network for attack signatures. Attack signatures are the packet sequences that identify an attacker's attempt to exploit a known operating system or program vulnerability.
If the information matches a known attack, the IPS automatically discards the packet. The IPS can also sever the connection with the computer that sent the data for a specified amount of time. This feature is called active response, and it protects computers on your network from being affected in any way.
The client includes the following types of IPS engines that identify attack signatures.
Symantec IPS signatures - The Symantec IPS signatures use a stream-based engine that scans multiple packets. Symantec IPS signatures intercept network data at the session layer and capture segments of the messages that are passed back and forth between an application and the network stack.
Custom IPS signatures - The custom IPS signatures use a packet-based engine that scans each packet individually.
Find the attach article
Best practices regarding Intrusion Prevention System technology
http://www.symantec.com/business/support/index?page=content&id=TECH95347
Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained
http://www.symantec.com/business/support/index?page=content&id=TECH104434