Endpoint Protection

 View Only
  • 1.  About Security Log or IPS Log on SEP11

    Posted Jul 30, 2009 04:42 PM
    Dear Sir

    I've tested IPS feature of SEP11

    -i've distributed net worm "Kido" or "Conficker" or "Downadup" on testing pc
    -it is very sure that SEP11 can detect and block the worm
    And everyone would be know the short description of this worm:
    - injecting to svchost
    - attack port 139, 445 tcp
    - attack which computers are not update ms-patch

    if i comparing log with other AV such as Kaspersky Antivirus and most competitor
    the IPS log of Kaspersky is containing the information like this (short info.)
    attack name: Intrusion.Win.NETAPI.buffer-overflow.exploit (other AV may called networm.expolit or something)
    source: x.x.x.x
    port: 139 or 445
    attack sescription: C:\WINDOWS\system32\svchost.exe

    but the Security Log of SEP11 containing the information like this (short info.)
    attak name: MSRPC Server Service BO detected.
    source: x.x.x.x
    port: not have any information
    attack description: C:\WINDOWS\system32\ntoskrnl.exe

    *********************************************************************************

    1. How can i get the "port" information from Security Log and on report of SEPM ? I've not found any port information on Security log and Report of SEPM
    2. MSRPC Server Service BO detected <<< Who can describ the meaning of this attack name?
    3. C:\WINDOWS\system32\ntoskrnl.exe <<< Why SEP11 detected like this? Who can tell me the different between ntosknl.exe - svchost.exe?

    From my opinion,
    i think the information on Security log of Symantec is not good and not enough information.
    Symantec detected Kido or Conficker in different description from other AV. It is hard to trace the attack and identify the attack risk, do you agree with me?

    Thank you for all comment






  • 2.  RE: About Security Log or IPS Log on SEP11

    Posted Jul 30, 2009 06:09 PM
    Svchost.exe
    The file svchost.exe is the Generic Host Process for Win32 Services used for administering 16-bit-based dynamically linked library files (DLL files) including other supplementary support applications.

    As operating systems became more complex Microsoft decided to run more software functionality from a dynamic link library (DLL) interface. However DLLs are unable to launch themselves and require at least one executable program, i.e. svchost.exe, is needed to bridge between the library process and the operating system.

    Through the solitary file svchost.exe, the DLLs efficiently contain and dispense Win32 services as well as neatly facilitate the execution of svchost.exe’s own operations. Acting as a host, the file svchost.exe creates multiple instances of itself. The multiple executions of the file svchost.exe contribute to the stability and security of the operating system by reducing the possibility of a crashing process that causes a domino effect on its neighbor processes, thereby creating a system-wide crash in the machine

    ntoskrnl.exe is a critical process in the boot-up cycle of your computer although should never appear in WinTasks whilst under normal circumstances Note: ntoskrnl.exe can be altered by the w32.bolzano and variants. If this process appears in WinTasks, we need to  update your virus definitions immediately.


    MSRPC Server Service BO

    It is a Symantec Intrusion Protection signatures that protects system from conflicker/downadup

    This signature detects an attempt to exploit a buffer overflow vulnerability in the Server Service on Windows systems which may result in remote code execution.

    A remote code execution vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafted RPC requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

    To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-4250.



  • 3.  RE: About Security Log or IPS Log on SEP11

    Posted Jul 31, 2009 09:19 AM
    1. Who can tell me how to see "Attacking Port" information? or SEP log is no containing this vaule.

    2. Why Symantec is detecting Kido or Conficker or Downadup in different competitors name as MSRPC Server Service BO? i'm seeing most of AV are detect in the same name.

    3. i've tested IPS feature of SEP11 with exploiting tool such as mail-slot attack. i've seen the SEP11 detected like this
    attak name: MSRPC Server Service BO detected.
    source: x.x.x.x
    port: not have any information
    attack description: C:\WINDOWS\system32\ntoskrnl.exe

    All information above you can see that is detecting in the same name of "Kido, Conficker, Downadup". Why?



  • 4.  RE: About Security Log or IPS Log on SEP11
    Best Answer

    Posted Jul 31, 2009 11:02 AM
    IPS detects the activity .Antivirus detects the files

    The activity is exploiting the MSRPC Server service vulnerability.--so this activity is detected as MSRPC Server Service BO Detected.

    When the malware file xxxx.dll/exe/sys /xxx is detected it detects it as W32,Downadup.x
    By the way Downadup is the name given by symantec.. Microsoft calls it Conficker every AV company has its own naming convention.


  • 5.  RE: About Security Log or IPS Log on SEP11

    Posted Aug 02, 2009 01:13 PM
    How can see attacking port???