Dear Sir
I've tested IPS feature of SEP11
-i've distributed net worm "Kido" or "Conficker" or "Downadup" on testing pc
-it is very sure that SEP11 can detect and block the worm
And everyone would be know the short description of this worm:
- injecting to svchost
- attack port 139, 445 tcp
- attack which computers are not update ms-patch
if i comparing log with other AV such as Kaspersky Antivirus and most competitor
the IPS log of Kaspersky is containing the information like this (short info.)
attack name: Intrusion.Win.NETAPI.buffer-overflow.exploit (other AV may called networm.expolit or something)
source: x.x.x.x
port: 139 or 445
attack sescription: C:\WINDOWS\system32\svchost.exe
but the Security Log of SEP11 containing the information like this (short info.)
attak name: MSRPC Server Service BO detected.
source: x.x.x.x
port: not have any information
attack description: C:\WINDOWS\system32\ntoskrnl.exe
*********************************************************************************
1. How can i get the "port" information from Security Log and on report of SEPM ? I've not found any port information on Security log and Report of SEPM
2. MSRPC Server Service BO detected <<< Who can describ the meaning of this attack name?
3. C:\WINDOWS\system32\ntoskrnl.exe <<< Why SEP11 detected like this? Who can tell me the different between ntosknl.exe - svchost.exe?
From my opinion,
i think the information on Security log of Symantec is not good and not enough information.
Symantec detected Kido or Conficker in different description from other AV. It is hard to trace the attack and identify the attack risk, do you agree with me?
Thank you for all comment