Endpoint Protection

 View Only

  • 1.  High-risk intrusion was detected -- over a 100 in the last 2 days

    Posted Jul 27, 2015 09:45 PM

    I run Symantec Endpoint Protection on my VPS and apparently it is doing its job, as I get an occasional email stating the a high-risk intrusion was detected...

    However, in the last 2 days, I 've received over a 100 of these emails.

     

    The targeted port in the email is 0

     

    Is there a probelm I should investigate further?



  • 2.  RE: High-risk intrusion was detected -- over a 100 in the last 2 days

    Posted Jul 27, 2015 09:47 PM

    Is the traffic going outbound from the VPS? If so, it may have an active infection.

    If you could post a screenshot of the full alert that would be great.



  • 3.  RE: High-risk intrusion was detected -- over a 100 in the last 2 days

    Posted Jul 28, 2015 07:02 AM

    Hi Brian,

    Here is a screenshot.

    SEP alert.png



  • 4.  RE: High-risk intrusion was detected -- over a 100 in the last 2 days

    Posted Jul 28, 2015 07:54 AM

    It looks like that remote IP attemtped to exploit the system but was blocked by SEP.

    You could drop this traffic at your firewall as well but so far SEP is doing its job.



  • 5.  RE: High-risk intrusion was detected -- over a 100 in the last 2 days

    Posted Jul 31, 2015 08:32 AM

    Brian, how would I go about "dropping" the traffic at my firewall?

    Also, is there a way to see what ip-addresses these attacks are coming from and what port they are attempting to use?

    The email from Symantec regarding the blocked High-Risk Intrusion always says port 0, but I suspect it is really another port?



  • 6.  RE: High-risk intrusion was detected -- over a 100 in the last 2 days

    Posted Jul 31, 2015 08:40 AM

    Is the address in the 'Target IP' your external address?



  • 7.  RE: High-risk intrusion was detected -- over a 100 in the last 2 days

    Posted Jul 31, 2015 08:44 PM

    Yes the Targeted IP is the address for my VPS

     



  • 8.  RE: High-risk intrusion was detected -- over a 100 in the last 2 days

    Posted Aug 06, 2015 10:20 AM

    Hi Brian,

    did you see my last response:  The Targeted IP is the address for my VPS.  I'm still interested in knowing how to find out the ip address of the attackers, and what port they were attacking.

    Thanks



  • 9.  RE: High-risk intrusion was detected -- over a 100 in the last 2 days

    Posted Aug 06, 2015 11:33 AM

    To me, that alert offers no relevant detail whatsoever.

    May want to contact support to see what they know.