Endpoint Protection

 View Only

  • 1.  NEED HELP with SID: 23179 OS Attack

    Posted Jun 07, 2011 03:38 AM

    HELLO

    Today I received this message many time

    Traffic from IP address ............ is blocked frpm 7/7/2011 8:35:50AM to 7/7/2011 8:45:50AM 

    SID:23179 OS Attack: MS Windows Server  Service RPC Handling CVE-2008-4250 detected

    I download the patch but still this message coming, so If some bady can help me with this and what I should take immediate action to stop any damage or prevent further damage from happenin



  • 2.  RE: NEED HELP with SID: 23179 OS Attack

    Posted Jun 07, 2011 03:44 AM

    HELLO

    Today I received this message many time

    Traffic from IP address ............ is blocked frpm 7/7/2011 8:35:50AM to 7/7/2011 8:45:50AM 

    SID:23179 OS Attack: MS Windows Server  Service RPC Handling CVE-2008-4250 detected

    I download the patch but still this message coming, so If some bady can help me with this and what I should take immediate action to stop any damage or prevent further damage from happenin



  • 3.  RE: NEED HELP with SID: 23179 OS Attack

    Posted Jun 07, 2011 04:19 AM

    try these two things

    1) open IPS policy, frm the frm address / To address is your internal iP then add it under exclude host option

    2)edit the ips policy look for the SID and make it allow

    http://www.symantec.com/business/support/index?page=content&id=TECH97176&key=55357&actp=LIST



  • 4.  RE: NEED HELP with SID: 23179 OS Attack

    Broadcom Employee
    Posted Jun 07, 2011 06:59 AM

    Hi,

    It Clearly states about the OS Attack: MS Windows Server Service RPC Handling. To know more about the same, check the link below:

    http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

    It is important that you have these Microsoft Updates done on all machine.

    Check this Link for all the Updates which needs to be installed.

    http://www.securityfocus.com/bid/31874/solution



  • 5.  RE: NEED HELP with SID: 23179 OS Attack

    Posted Jun 07, 2011 08:07 AM

    Is the traffic inbound or outbound?

    I would make sure you get more details before you start excluding hosts.



  • 6.  RE: NEED HELP with SID: 23179 OS Attack

    Posted Jun 07, 2011 11:22 AM

    I wouldn't recommend excluding the host or allowing the traffic for this signature without determining whether or not it's malicious.

    sandra



  • 7.  RE: NEED HELP with SID: 23179 OS Attack

    Posted Jun 08, 2011 04:55 AM

    Hi All, above are my log from SEP,I have same Problem, need advice from all of you, i think this is worm


  • 8.  RE: NEED HELP with SID: 23179 OS Attack

    Posted Jun 08, 2011 02:08 PM

    You need to disconnect those 7 hosts from the network and run scans on them with the latest definition set.

    You should also make sure these machines are fully patched.



  • 9.  RE: NEED HELP with SID: 23179 OS Attack