Endpoint Protection

 View Only
Back to Library

Why am I getting IDS alerts on vulnerability scans from Symantec? 

May 29, 2013 01:28 PM

Ocassionally we have inquiries from concerned customers claiming Symantec was scanning their forward facing IPs for vulnerabilities. As we have many different products and services it's sometimes not readiluy apearant if this is part of our Global inteligence Network, or one of the services we offer, but our experience has been that it always is an opt-in service a customer has request or purchased and perhaps the web team had forgotten to let the Infosec/SOC know what was going on. Sound familiar?

One such service is called Vulnerability Assessment Service and allows the customer to add the Norton Secured seal to their website.

This is now owned by DigiCERT and is not a Symantec product. PTR records and such are still being transfered over but feel free to contact them or look at the following articles on their site for more information

Vulnerability Scan FAQ
Which IP addresses does Vulnerability Assessment Service scan from?

Vulnerability Assessment Service can create multiple entries in the customer’s website's logs and could cause alerts from their perimeter IDS/IPS. Its recommended to create rules or filters for these entries to avoid an false positives.
Vulnerability Assessment Service uses the following IP addresses and server names:

  • VBLADEAF001  46.4.95.23  (scan1.ws.symantec.com)
  • VBLADEAF002  46.4.85.9  (scan2.ws.symantec.com)
  • VBLADEAF003  46.4.85.14  (scan3.ws.symantec.com)
  • VBLADEAF004  46.4.94.227  (scan4.ws.symantec.com)
  • VBLADEAF005  46.4.94.230  (scan5.ws.symantec.com)
  • VBLADEAF006  46.4.94.239  (scan6.ws.symantec.com)
  • VBLADEAF007  67.192.122.132  (scan7.ws.symantec.com)
  • VBLADEAF008  204.232.241.139  (scan8.ws.symantec.com)
  • VBLADEAF009  46.4.94.143  (scan9.ws.symantec.com)
  • VBLADEAF010 5.9.77.176  (scan10.ws.symantec.com)
Another such service is called the Web Security Services
It uses the following IPS to perform scans
  • 197.96.129.176
  • 103.246.36.208
  • 123.103.64.0
  • 103.246.38.192
  • 180.179.142.104
  • 103.246.39.208
  • 185.2.196.192
  • 199.19.249.192
  • 46.235.158.192
  • 8.21.6.0
  • 8.21.4.0/24
  • 199.116.173.192
  • 199.116.172.232
  • 8.28.16.0
  • 8.28.17.0       
  • 199.116.169.224

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.