Endpoint Protection

 View Only

  • 1.  SCCM - Web Attack: Suspicious Executable Image Download

    Posted Jul 15, 2015 05:22 PM

    Has anyone else experienced any issues with the IDS flagging SCCM content as malicious? We're seeing the following alert on one of our packages (a video file) being sent from our SCCM environment out to our clients.

    The clients are running 12.1 RU5, full suite protection.

    I'd not like to exclude that IDS signature, and I'm not sure I want to go add a few hundred SCCM endpoints as trusted in the IDS excluded hosts

    Intrustion URL & IP address altered to remove our specifics.

     

    Risk Detected

    Event Time:

    07/15/2015 08:53:33

    Begin Time:

    07/15/2015 08:52:33

    End Time:

    07/15/2015 08:52:33

    Occurrence:

    1

    Signature Name:

    Web Attack: Suspicious Executable Image Download

    Signature ID:

    22819

    Signature Sub ID:

    72149

    Intrusion URL:

    <PC NAME>/SMS_DP_SMSPKG$/Content_572b8b7f-fe2d-4d09-b570-632e85b70abc.1/sccm?/<FILE NAME>.mp4

    Intrusion Payload URL:

    N/A

    Event Description:

    [SID: 22819] Web Attack: Suspicious Executable Image Download attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

    Event Type:

    Intrusion Prevention

    Hack Type:

    0

    Severity:

    Critical

    Application Name:

    C:/WINDOWS/SYSTEM32/SVCHOST.EXE

    Network Protocol:

    TCP

    Traffic Direction:

    Inbound

    Remote IP:

    10.xx.xx.xx

    Remote MAC:

    N/A

    Remote Host Name:

    N/A

    Alert:

    1

    Local Port:

    61515

    Remote Port:

    80

     

     



  • 2.  RE: SCCM - Web Attack: Suspicious Executable Image Download

    Posted Jul 16, 2015 01:37 PM

    If you are sure that this is a false positive, tou just need to add the IP address of the SCCM server(s) to the excluded hosts. You need not add the IP addresses of the clients (endpoints) to the excluded hosts.

     

    You may follow the article at the link below and add the IP address of SCCM server(s) to the excluded hosts.

    http://www.symantec.com/docs/HOWTO55407



  • 3.  RE: SCCM - Web Attack: Suspicious Executable Image Download

    Posted Jul 16, 2015 01:46 PM
    Haven't seen it yet but looks like a false positive. I would add as an excluded host.


  • 4.  RE: SCCM - Web Attack: Suspicious Executable Image Download

    Posted Jul 16, 2015 01:49 PM

    Understood, but maybe I wasn't clear. We have a few hundred SCCM servers (distribution points) across our enviroment. It would not be a quick exercise to set those all up, and I normally am not notified when that team changes servers/IP addresses.

    Another of my main concerns is how/why a video file is being categorized as an executable.



  • 5.  RE: SCCM - Web Attack: Suspicious Executable Image Download

    Posted Jul 16, 2015 01:55 PM
    IPS flags the process/URL as the intrusion. Unfortunately setting up an excluded host or excluding the signature are the only options.


  • 6.  RE: SCCM - Web Attack: Suspicious Executable Image Download

    Posted Jul 16, 2015 06:18 PM

    As a workaround, you may create a custom IPS signature to allow this download. As the "Custom IPS signatures" will be processed before the "IPS signatures that are downloaded through LiveUpdate", the download will be allowed by the "Custom IPS signatures" and hence avoiding the inspection of this traffic by the "IPS signatures that are downloaded through LiveUpdate". please check the following links.

    About the firewall rule, firewall setting, and intrusion prevention processing order

    http://www.symantec.com/docs/HOWTO81187

    Creating custom IPS signatures

    http://www.symantec.com/docs/TECH102676

    Note: Creating a custom IPS signature may involve a lot of testing. You may need to enable logging on the custom IPS signature to check if the required traffic is being allowed.