Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Community Blog

Why am I getting IDS alerts on vulnerability scans from Symantec?

Created: 29 May 2013 • Updated: 22 Jul 2013
Brandon Noble's picture
+2 2 Votes
Login to vote

Over the past several months we have had inquiries from concerned customers claiming Symantec was scanning their forward facing IPs for vulnerabilities. After some research and some extremely tense meetings it was determined that this was actually part of a service the customer had purchased and opt'ed in for and that perhaps the Web team had forgotten to let the SOC know what was going on. Sound familiar?

The service is part of Trusted Services and allows the customer to add the Norton Secured seal to their website.

Vulnerability Assessment Service can create multiple entries in the customer’s website's logs and could cause alerts from their perimeter IDS/IPS. Its recommended to create rules or filters for these entries to avoid an false positives.
Vulnerability Assessment Service uses the following IP addresses and server names:

•    VBLADEAF001  46.4.95.23  (scan1.ws.symantec.com)
•    VBLADEAF002  46.4.85.9  (scan2.ws.symantec.com)
•    VBLADEAF003  46.4.85.14  (scan3.ws.symantec.com)
•    VBLADEAF004  46.4.94.227  (scan4.ws.symantec.com)
•    VBLADEAF005  46.4.94.230  (scan5.ws.symantec.com)
•    VBLADEAF006  46.4.94.239  (scan6.ws.symantec.com)
•    VBLADEAF007  67.192.122.132  (scan7.ws.symantec.com)
•    VBLADEAF008  204.232.241.139  (scan8.ws.symantec.com)
•    VBLADEAF009  46.4.94.143  (scan9.ws.symantec.com)
•    VBLADEAF010 5.9.77.176  (scan10.ws.symantec.com)

 
For more support on this feature please see:
https://knowledge.verisign.com/support/ssl-certificates-support/index.html?tid=symc_vrsn_kb