Video Screencast Help

Active response - The client will block traffic from IP address...

Created: 30 Oct 2012 | 12 comments

Hi,

 

I'm little bit confused with policy settings.

In firewall policy -> protection and stealth, there is NOT enabled "Atuomatically block an attacker's IP address". On client is applied actual version of policies. But when I open website www.osecanka.cz, in security log appear:

[SID: 25887] Web Attack: Malicious Java Download Request 2 attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE

and

The client will block traffic from IP address "PROXY IP" for the next 600 seconds (from 30.10.2012 15:48:27 to 30.10.2012 15:58:27).

So, why is this happening ?

 

Thx

Comments 12 CommentsJump to latest comment

Ashish-Sharma's picture

Hi,

In the SEPM you can crate a firewall rule to block an attacker address or you can increase the default time limit 10 minutes.

By default attacker IP address is blocked for 10 minutes. You can maximize this time through policies. Set it to maximum.

I don't see any concern to create exception for single IP address becauase attackers are smart enough they will start with new IP address.

Machine is receiving an attack means there must be some loophole in the system.

Patch the system with all the system updates. Use all the SEP features i.e AV/AS, PTP & NTP with latest definitions.

Check this article:

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

Check this Link for all the Updates which needs to be installed.

http://www.securityfocus.com/bid/31874/solution

 

you can check this forums.

 https://www-secure.symantec.com/connect/forums/constant-traffic-ip-address-xxxxxxxx-blocked-message-popping-out-1

https://www-secure.symantec.com/connect/forums/constant-traffic-ip-address-xxxxxxxx-blocked-message-popping-out

Thanks In Advance

Ashish Sharma

 

 

_Brian's picture

Is the client in a group that may have this option enabled in the policy?

 

Kyli's picture

Hi,

problem is, that "attacker" is in this case our proxy server :) This is the reason why blocking attacker's IP feature is disabled. Event so proxy (it means all internet connections) are blocked.

I've created security ID exception (I hope it is just temporary, I don't have a good feeling about it).

_Brian's picture

This is because SEP is not proxy aware and your proxy is showing as the source as opposed to the true source.

So you excluded the [SID: 25887] Web Attack: Malicious Java Download Request 2 IPS signature? The clients will now run the risk of being infected so I wouldn't recommend that.

Have you patched java with latest updates?

Kyli's picture

Yes, SID 25887 is excluded so it's work for now. I believe this is just temporary workaround.

 

I hava downloaded lates java 7 update 9, all MS patches and lates SEP version.

_Brian's picture

I would patch immediately.

Hopefully, antivirus signature can catch the potential infection attempt.

Mithun Sanghavi's picture

Hello,

[SID: 25887] Web Attack: Malicious Java Download Request 2 attack blocked.

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25887

Oracle Java SE is prone to a remote denial-of-service vulnerability in Java Runtime Environment. Specifically, the issue occurs because the application fails to properly check if an array is of an expected Object[] type. An attacker can exploit this issue to cause Java Virtual Machine to crash or bypass Java sandbox restrictions. 

An attacker can exploit this issue to cause the application to crash, denying service to legitimate users. 

This vulnerability affects the following supported versions: 
7 Update 2, 6 Update 30, 5.0 Update 33

Solution: http://www.securityfocus.com/bid/52161/info

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Kyli's picture

I have created testing group (just to be sure which policies are applied) -> same result, even though blocking attacker's ip feature is disabled, SEP still blocks proxy.

 

In client log is:

Intrusion Prevention    Critical    Incoming.....Web Attack: Malicious Java Download Request 2    argoauto.net//logs_ftp/index-bkp.php?action=jv&h=1004096015...

According to the source code of the website, there is:

<script type="text/javascript" src="http://argoauto.net/logs_ftp/index-bkp.php"></script>

 

And if you open i, it just contains:

if(navigator.javaEnabled()) { document.write(' '); }

 

It looks like check if java is functional, so what is wrong or dangerous ?

 

Ian_C.'s picture

 '); }

That's the part of the line that is missing for me and Java launches. IT then tries to run a Java application from an unknown publisher from the web site http://atoppos.com

so what is wrong or dangerous ?

Maybe nothing for you in a fully patched environment, for millions of others the Java exploits making the news recently?

 

Please mark the post that best solves your problem as the answer to this thread.
_Brian's picture

You're re-directed to another site which will likely serve you up malicious code.

Ian_C.'s picture

there is NOT enabled "Automatically block an attacker's IP address".

I think this thread is going off-topic. The client blocks traffic from a specific IP address even though the policy is configured not to block.

We've previously had this happen between Outlook on a workstation and the Exchange server. Often enough our DCs also block client traffic. We too have the policy set to NOT block any traffic.

And yet, SEP still blocks traffic from IP addresses.

Why is this happening? Please don't tell me to upgrade to the latest version unlerss you can point out a specific FIX ID that addresses this issue.

Please mark the post that best solves your problem as the answer to this thread.
Kyli's picture

Maybe solution for that issue :)

I have made the same tests with SEP 12.1.2 beta 2 and it works correctly, so I have to wait until GA.