Endpoint Protection

Hi All,

Good Day,

We are using Sep 12.1 RU 1 MP 1 and doesn’t using SEP firewall module on Machines and some of the Machines IPS is blocking an application and logging an event with Severity: Critical, while we are trying to run our vulnerability Check from VA application?

We need to exclude all traffic from VA server, and how we can achieve this?

A Sample Risk Log has been attached

-------------------------------------------------------------------

Event Time: 04/02/2013 13:52:20

Begin Time: 04/02/2013 13:52:23

End Time: 04/02/2013 13:52:23

Occurrence: 1

Signature Name: OS Attack: MS SMB2 Validate Provider Callback CVE-2009-3103

Signature ID: 23471

Signature Sub ID: 72833

Intrusion URL: N/A

Intrusion Payload URL: N/A

Event Description: [SID: 23471] OS Attack: MS SMB2 Validate Provider Callback CVE-

2009-3103 attack blocked. Traffic has been blocked for this application: SYSTEM

Event Type: Intrusion Prevention

Hack Type: 0

Severity: Critical

Application Name: SYSTEM

Network Protocol: TCP

Traffic Direction: Inbound

Remote IP: X.X.X.X

Remote MAC: N/A

Remote Host Name: N/A

Alert: 1

Local Port: 445

Remote Port: 3287

-----------------------------------------------------------

Thanks in advance

Ajin

You can add the IP of the VA server in the exlcuded hosts file in the IPS policy. See here

Setting up a list of excluded computers

Hi!

In my opinion it is applicabale in your case. Or You can use application learning and you should add it to exclusion list.

Hi Brian,

Thanks for your response.

Provide article is so much impressing!!!! But is it  applicable to sep 12.1 Ru1 MP 1  and we are not using SEP firewall on Machines ?

Regards

Ajin

Yes it still applies in your case. Firewall and IPS are apart of Network Threat Protection but are separate components. You can use both or only one.