SEP and Norton Network Threat Protection/IPS Signature Naming Improvements

Article:TECH152794  |  Created: 2011-02-07  |  Updated: 2011-02-07  |  Article URL http://www.symantec.com/docs/TECH152794
Article Type
Technical Solution


Issue



What is happening?

SEP Network Threat Protection/IPS is one of the main proactive protection technologies in use today in Enterprise and Consumer Symantec products keeping malware, web based attacks, social engineering attacks and the latest threats off users systems.  
To ensure IT managers quickly understand the category, or type of attack and what next steps are required; we are changing all IPS signatures to include a keyword prefix for attacks of a similar category.   The use of keywords will also allow customers to quickly and clearly prioritize events.
 
The following prefixes will be used to more clearly identify the type of protection :
  • System Infected:   
  • OS Attack:  
  • Web Attack:
  • Fake App Attack:
  • Malicious Site:  
  • Attack:
 
System Infected:   Threat events with the “System Infected” prefix should be the highest priority events being investigated for breach and malware removal.  These events clearly indicate an active infection of malware, Trojan or a bot that is trying to communicate outbound.  
Example:  "System Infected: Tidserv Activity":  This message means that that a variant of Tidserv is being detected by IPS attempting to "phone-home" or infect other systems.
 
OS Attack:  Threat events with the “OS Attack” prefix should be investigated with the 2nd highest priority.  These events occurring within an enterprise indicate that while the individual system has been protected; there is still an active infection coming from the Server Bound direction.  In other words, there was an inbound attack prevented.  Correlation of these events can also easily help you pinpoint where the attack is originating.  
Example:  “OS Attack:  MS RPCSS (3)”.  This IPS trigger means that IPS blocked an attempt to exploit the MS RPC vulnerability and install malware on the system.  You should investigate the originating IP address to determine where infections are coming from.
 
Web Attack: Threat events with the “Web Attack” prefix should be investigated with the 3rd highest priority.  These systems were protected from a Web-based attack like a drive-by download that attempts to exploit vulnerabilities in the Browser, or browser plug-ins such as reader, multimedia and ActiveX controls.   Application vulnerabilities being exploited such as Java, Adobe Flash, Adobe Acrobat, Apple QuickTime, would also be included in this category.  No further investigation should be required.    
Example “Web Attack: HTTP Malicious Javascript Heap Spray”.  This means that IPS protected your system against a Web Attack toolkit attempting to exploit a vulnerability via a drive-by download web attack.
 
Fake App Attack:  Threat events with the “Fake App Attack” prefix should be investigated with the 4th highest priority. These systems were protected with IPS from a social engineering Fake AV or Fake Codec Attack.  No further investigation is required.  Since user interaction is required and are quite common from simple actions like Google Searches and clicking on links in Facebook, these are slightly lower in priority for analysis then the Web Attacks.  
Example:  “FakeApp Attack: FakeAV Installer Download”.  This means that IPS protected your system from a social engineering attack.  In this case, a Fake Antivirus solution attempted to be installed on an end users systems.
 
Malicious Site:  Threat Events with the “Malicious Site” prefix should be investigated with the lowest priority.  These systems were protected from visiting a domain, web site or IP address known to be malicious.  No malicious activity will be able to come from this site as the malicious site event blocked all further communication.
Example “Malicious Site:  Malicious Web Site, Domain, or URL 1”.  This means that a known malicious web site was prevented from being navigated to.  Various malicious content including web attack toolkits or social engineering attacks may be originating from these URLs, IPs, or Domains.
 
Attack:  Threat events with the “Attack” prefix are the targeted other vectors such as file formats, or additional application vulnerabilities.  Examples of such signatures may include other third party applications that are not browser-based.  
Example “Attack:  Microsoft PowerPoint PPT4 RCE”.  This means that an attempt to exploit a MS Powerpoint vulnerability was blocked.
 
When is it happening?
We are currently targeting early March 2011.  The naming conventions may change slightly before definitions are shipped.
 

Cause



Why are you making these changes?

The previous naming convention was confusing and inconsistent. The goal is to allow IT managers and users a better understanding of what is occurring just by looking at the signature name.   The IPS/Network Threat Protection is a very powerful technology blocking tens of millions of variants of malware and social engineering attacks that Antivirus alone is unable to detect – this new naming convention will help IT managers better understand the true types of protection being delivered and how to use it to protect their environments.

 

Solution



 

Will it affect me?

The IPS Signature ID will stay the same – only the name is changing.  The client and server operations use only the Signature ID for reporting IPS events; so no action is required from a user perspective.  This change will effect all Symantec and Norton products that use IPS/Network Threat Protection.  This includes Symantec Endpoint Protection, Symantec Client Security and all Norton products. 

Proposed Final IPS Signature Naming Conventions Examples:

Current IPS Signature Naming

Revised Final Proposed IPS Signature Naming

Post Infection:

 

HTTP Tidserv Request

System Infected: Tidserv Activity

HTTP Tidserv Download Request 2

System Infected: Tidserv Download 2  Activity

Fake AV

 

HTTP Fake AV Redirect Request               

FakeApp Attack: Fake AV Redirect

HTTP Fake AV Executable Download

FakeApp Attack: Fake AV Download

HTTP FakeAV Installer Download Request

FakeApp Attack: FakeAV Installer Download

HTTP Fake Codec Request Generic

FakeApp Attack: Fake Codec Generic

Drive-by download and Malicious Web Attack Toolkits

 

HTTP Neosploit Toolkit Activity 1

Web Attack: Neosploit Toolkit Attack

HTTP Malicious Javascript Heap Spray BO

Web Attack: HTTP Malicious Javascript Heap Spray

HTTP Malicious Toolkit Variant Activity 16

Web Attack: Malicious Toolkit (16)

HTTP Phoenix ToolKit Java Applet Activity

Web Attack: Phoenix ToolKit Java Applet

HTTP Suspicious Executable Image Download

Web Attack: Suspicious Executable Image Download

HTTP Acrobat Suspicious Executable File Download

Web Attack: Acrobat Executable File Download

Base OS Attack:

 

MSRPC Server Service BO

OS Attack: MS RPCSS BO

MS RPCSS Attack (3)

OS Attack:  MS RPCSS (3)

MSRPC SrvSvc NetApi Buffer Overflow (2)

OS Attack:  MS RPCSS NetApi BO (2)

Malicious Domain Blocked:

 

 

Malicious Site:  Malicious Domain or IP Blocked

Other Malicious Sites or domains, IPs or websites that may serve up drive-by downloads or fakeAV

Malicious Site: Signature Name

Attack:

 

MSIE Yahoo! Messenger GetFile Method File Upload

Attack: Yahoo! Messenger GetFile Method File Upload

HTTP Microsoft PowerPoint PPT4 RCE

Attack:  Microsoft PowerPoint PPT4 RCE

 




Article URL http://www.symantec.com/docs/TECH152794


Terms of use for this information are found in Legal Notices