Endpoint Protection

Hi There,


Do anyone over there has overcome this situation whereby, few of my desktops showing a symantec pop-up consist of an public IP address was blocked on the particular date and time.
There are are very frequent. In the View Logs >> Client Management >> Security Log , I can view the details of the attacker whom attack the system(details as below) 
so far but what I want to the most is the incoming port that was used by the attacker.Anyone has any idea? Please help.


"Denial of Service "Jolt2 Attack" attack detected.
Description:
Jolt2 attacker floods illegally fragmented ICMP or UDP packets into your computer and causes your CPU utilization to be 100%"



Thanking in advance,
m_k

Hello m_k,
Create a new firewall rule. Rule is from internal to external. and choice create log. and assign to user. Therefore firewall will log everything incoming and outgoing. Than you can see which port used.

Best Regards.
Fatih

I don't think SEPM can give you the information about the ports.You can add this as an idea in the Idea section.

Hello k_m
I forgot to write you can use wireshark too.
And there is a picture below for ports.

Best Regards.
Fatih

Hi Fatih,

Thanks for your reply, how to do the rule? i never done this before.Could you guide me on this please, and also i cant see any log on the network threat protection its empty and i dont know why?Any other way to check the log?

Thanking in advance.

m_k

Hello again,
In the Sep Manager Choice Policies>Firewall Policy> Create new Rule.
Choice Blank Rule.
When you create rule move it first line. and choice Log. (you can see picture below)
Than Assign the policy to user which you want to follow.
Update Client policy and open user log file in Sep Cleint.
Regards.
Fatih

Please note you will want to only temporarily use this logging policy. I know from experience as this amount of logging will spike the CPU utilization and disk I/O.