Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Endpoint Protection Blocks Backup Exec Agent on some IPs

Created: 22 Oct 2012 • Updated: 05 Nov 2012 | 13 comments

Hi all, I am receiving the following security alert from Symantec Endpoint Protection on my Backup Exec 2010 R3 server:

 

[SID: 25721]Web Attack: RTMP Type Confusion CVE-2012-0779 2 detected.

Traffic has been blocked from this application: C:\Program Files\Symantec

\Backup Exec\bengine.exe

 

I have received this for a few of my backedup machines and was wondering what the best practice is to stop this from happening.

 

I would assume the way is to create an application rule for "bengine.exe" in the Symantec Endpoint Protection Manager (SEPM) firewall policy as out lined in this article? http://www.symantec.com/docs/TECH104526 Is this correct? Or is there a different/better way?

Thank you in advance

Mike

Comments 13 CommentsJump to latest comment

.Brian's picture

This is happening because the IPS signature is firing on it. You can create an exception for this signature:

 

Creating exceptions for IPS signatures

http://www.symantec.com/business/support/index?page=content&id=HOWTO55167

See this for more info on managing IPS as well:

 

Managing intrusion prevention on your client computers

http://www.symantec.com/business/support/index?page=content&id=HOWTO55156

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mhartman's picture

If I allow [SID: 25721]Web Attack: RTMP Type Confusion CVE-2012-0779 in the intrusion perevention policy won't that put my whole organization at risk of the Adobe Flash Player vulnerability outlined in this article? http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25721  

.Brian's picture

You can allow only this machine to be excluded from the IPS policy, not all machines.

Also, is this being flagged during a backup? Backup Exec shouldn't be flagged or creating a vulnerability.

Have you scanned this machine to ensure it's not infected or determined when exactly this signature fires and what's going on?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mhartman's picture

Yes, this happens durring a backup then it kills the backup connection.

The signiture seems to fire when it gets to the D: volume of this server, C: volume backsup fine. The D: volume has multiple versions of an inhouse software application (maybe this is flagged?)

I have checked the Endpoint logs and have run scans but everything comes up clean.

Backup Exec is also setup to run on a seperate IP scheme if this makes a difference.

mhartman's picture

That looks like it will do the trick. I will try this out and since this does not happen on every backup job I will let the system run a few days and post back if this fixes the problem.

Ashish-Sharma's picture

Hi Mike,

Your Problem resolved or not ?

 

Thanks In Advance

Ashish Sharma

 

 

mhartman's picture

Ashish, thank you for the suggestion I have not received any false positives since applying your fix. Marked as solution.

mhartman's picture

Got the same false possitive on friday. Is there a way to "whitelist" the IP address of the server being backedup for just the backup server?

.Brian's picture

You can add only this server to the excluded hosts list in the IPS policy. IPS will not apply for this server than. Or you could just remove the component if that is an option.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ashish-Sharma's picture

HI,

What sep componets do you have install ?

If you have install NTP feature try to remove feature in server.

 

 

Thanks In Advance

Ashish Sharma

 

 

mhartman's picture

I have excluded the IP address of the host being flaged in the IPS policy. I will let this run over the weekend and post back if this corrects the problem.

Ian_C.'s picture

@mhartman

Something that has not yet been covered is the version of SEP you are running.

In SEP 12, you can have different exclusions for continuous, manual or scheduled scans.

In SEP 11, that is not the case. If you apply centralised exclusions, they apply to every type of scan. Thus your manual scan might not pick up an infected file if it is in an excluded directory. It might however be picked up when the backup engine is reading the contents of the file. At that time, I guess the infected file is part of the backup engine process & will be scanned which triggers your alert?

Just a thought. Would be nice to hear from Symantec developers about this.

Please mark the post that best solves your problem as the answer to this thread.