Endpoint Protection

 View Only

  • 1.  Network Threat Protection attack logged with no signature.

    Posted Apr 30, 2015 11:01 AM

    Hi,

    I am seeing events logged by Network Threat Protection that contain no Signature Name or ID. I would really like to know what exploit is being used to trigger NTP. Is there some other way I can find this information?

     

    Here is a sample from the SEPM logs.

    Client Affected Computer Name  
    Current: SERVER03
    When event occurred: SERVER03
    IP Address  
    Current: xxx.xxx.200.10
    When event occurred: 0.0.0.0
    Local MAC: ABCDEF2313A
    User Name: CtxSAM
    Operating system: Windows Server 2008 R2 Standard Edition
    Location Name: N/A
    Domain Name: Default
    Group Name: My Company\Default Group
    Server Name: SEP716
    Site Name: ALL_SERVERS
     

    Risk DetectedEvent Time: 04/30/2015 01:54:10
    Begin Time: 04/30/2015 01:53:09
    End Time: 04/30/2015 01:53:09
    Occurrence: 3
    Signature Name: N/A
    Signature ID: 0
    Signature Sub ID: 0
    Intrusion URL: N/A
    Intrusion Payload URL: N/A
    Event Description: Auto-Block Event
    Event Type: Intrusion Prevention
    Hack Type: 0
    Severity: Major
    Application Name: Symantec Endpoint Protection
    Network Protocol: Unknown
    Traffic Direction: Inbound
    Remote IP: XXX.XXX.163.91
    Remote MAC: 000000000000
    Remote Host Name: N/A
    Alert: 1
    Local Port: 0
    Remote Port: 0

     

    Any help would be appreciated.

     



  • 2.  RE: Network Threat Protection attack logged with no signature.

    Posted Apr 30, 2015 11:51 AM

    What version of SEPM/SEP is this happening on?

    Did you check the NTP >> Attack log as well?



  • 3.  RE: Network Threat Protection attack logged with no signature.

    Posted Apr 30, 2015 01:51 PM

    Ah, sorry. Should have inlcuded this information. This is a SEP 12.1.2 client, 12.1.5 SEPM.

    The event I posted is from the NTP Log. It's the only indication I have that something happened.



  • 4.  RE: Network Threat Protection attack logged with no signature.

    Posted Apr 30, 2015 07:00 PM

    How many of these have you received?



  • 5.  RE: Network Threat Protection attack logged with no signature.

    Posted May 01, 2015 10:14 AM

    Just a few like this. (With no signature information) These just happen to be of intense interest, since originated from outside of our enviroment. All from the same source.

    We regularly run pen tests against our servers, and in these cases, SEP has logged the signature information. So I know it typically works.

    Thanks for your response. Any insight you could provide is welcome and appreciated.

     

    Clark



  • 6.  RE: Network Threat Protection attack logged with no signature.

    Posted Jul 16, 2015 07:07 AM

    Hi

    Any input on this ? I have similar entries on a customers SEP solution. I would like to know if this is a know bug, or other advise.

     

    Thank you



  • 7.  RE: Network Threat Protection attack logged with no signature.

    Posted Jul 16, 2015 07:43 AM

    No further response from OP. I would call support.