Endpoint Protection Small Business Edition

We are using Symantec Endpoint Protection - Small Business Edition (unmanaged client) on our Windows Small Business 2003 server.  We received the following warning message from SEP:  "[SID: 27798] Web Attack: PHP CGI CVE-2012-1823 2 attack blocked. Traffic has been blocked for this application: SYSTEM"

I have run two full SEP scans (with latest updates applied) on all server drives.  No problems were found.  There are no signs of any problems with the server from an operational standpoint.  Do we still need to be concerned about this warning?  If so, what else should I do?

Also, could you please tell me what the SEP SBE equivalent is to the Norton Power Eraser?   Perhaps I should run that program on the server.

Thanks very much for your assistance with this.

John

This is the IPS doing its job. It blocked the attack before it made it to the hard disk. The attack attempt likely came from the user (unknowingly) visiting a malicious website or a malicious ad on a legit site.

Again, I wouldn't worry about it and you shouldn't need to run the power eraser at this point.

Full writeup on it can be found here:

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27798

Thanks for your helpful reply, Brian.  There is one point I would like to make, though.  The SEP unmanaged client is a server, so no one uses it as a workstation.  Did you mean to say that someone probably visited a malicious website directly from the server or could the "outbound" nature of the SEP warning message be due to a workstation on the network (not the server) diung this?

John

Is it an external facing server? If so this could've been an attacker trying to compromise. The security log on the client should show a remote IP

This is the only server on a small (ten station) network.  The OS is Windows Small Business Server 2003.  The server provides shared applications and file service internally to the workstations.  It does offer DNS service as well, so there does seem to be an "external facing" element.

To answer your question, yes, there is a remote IP address (located in Puerto Rico) in the server's SEP client security log with this PHP-CGI attack warning.

Given these circumstances, do you recommend that I check the security software (NIS) on the workstations as well, or is that not necessary?

Thanks again for your assistance.

John

As long as the workstations are only internal facing, they should be fine. May not hurt to do a quick check on one or two machines.

The workstations do share a broadband Internet connection with the server.  I'm not sure if that qualifies them as "external facing" or not (sorry, I'm not really familiar with exactly what that term means).

It just means they're are reachable from the unfiltered internet, can anyone get to them? I'm guessing they're sitting behind a NAT'd firewall and not reachable except for the server which is serving up a website.

I understand.  The workstations are behind a NAT firewall, and the server does not host a web site.  It handles DNS duties on the network and is also used for the SBS Remote Web Workplace (authenticated access to the server and workstations via a web browser).  The server and workstations also share a broadband Internet connection (through an Ethernet switch that is connected to the Internet router, which has NAT).  Other than that, all functions are internal to the network (application hosting, file sharing, etc.).