SEP MR4 - Cain Alerts
Hello!
in last 4 days, that`s the 2nd time i get an alert with Cain detection that look like this:
Acknowledge all notifications in this filtered list
Details
Ack. Report Date Created By Subject Message
06/03/2009 09:59:48 Caesar New Risk Found New risk found: JohntheRipper.
06/03/2009 09:59:48 Caesar New Risk Found New risk found: HTTPBruteForcer.
06/03/2009 09:59:48 Caesar New Risk Found New risk found: AngryIPScanner.
06/03/2009 08:59:48 Caesar New Risk Found New risk found: Hacktool.PWSteal.
06/03/2009 08:59:48 Caesar New Risk Found New risk found: Backdoor.Formador.
06/03/2009 08:59:48 Caesar New Risk Found New risk found: CainAbel.
problem is that when i click the report link to see the full report i get nothing , and looks like this :
"Risk Distribution Over Time
Event Time Number
Top
New Risks Detected in the Network
0 entries (no new risks found)
Risk name
Category / Type
Discovered First Occurrence
Detected By Domain
Server
Group Computer
User name
Top
Risk Distribution by Risk Name
0 entries"
So, 1. do you have any idea how i can find the where the problem ( Cain ) is ?
2. Why the report is not showing computer / username that triggered that alert. ( only this group of alers are not showing full reports, any other aler is okay )
Problem rise from the point of security as i have SEP installer on 12 DCs and over 350 WSs and it`s pretty damn hard to manually check each of them to see where that Cain appears, and biggest problem is that whoever used it, could have done this from a stick, so ... the search might be useless ...
Any ideas?
Comments
Check for the Risk
Check for the Risk Distribution By Source graph.
That'll have the Computer Name / IP Address documented for the threat source.
Abhishek Pradhan, PMP, MCT
Consultant | Microsoft Corp.
Blog: http://blog.abhishekpradhan.net | SIG Lead - Pune IT Pro (Microsoft Pune User Group) | http://www.puneusergroup.org
Check your logs and filter
Check your logs and filter the list using the threat name as how Symantec reports it. Something like %hack%
I'm guessing, that this could be from a single user so maybe you can also filter out the alert using the user name and hope its not SYSTEM.
Symantec could also have a Pending analysis for that.
“Your most unhappy customers are your greatest source of learning.”
"Check for the Risk
"Check for the Risk Distribution By Source graph.
That'll have the Computer Name / IP Address documented for the threat source." - it`s not shown there :(
"Check your logs and filter the list using the threat name as how Symantec reports it. Something like %hack% " - it gives a results page with 2 empty spaces ( just as in the screenshot report attached to this thread )
It does not appear in first screen under cleaned / infected/ etc ...
It only appears because of a custom notification set by me with condition "new risk found" / group ... and it is the default big group :( , now i`ve made a change and set 10 notifications, one for each possible group.
i`ve checked all DC servers to see if there is anything in logs that might be suspicious, nothing ...
more ideas ?
to see more closely where it
to see more closely where it goes that error, i`ve prepared 12 more notification alerts, now based on group membership instead of new risk over network (all groups )
still, i`m pretty dissapointed with those empty logs ...
maybe there is a solution, or a cause that can be prevented
are cain alert like a brute
are cain alert like a brute force crack that bypass the security..
good tool but not legit?
any thoughts?
thanks...
Right, Cain is a bruteforce
Right,
Cain is a bruteforce password cracking tool. I'm not sure of its legitimacy. Admins might need some password cracking software especially if they replaced another admin on the job and did not tell the passwords.
“Your most unhappy customers are your greatest source of learning.”
no other opinion ? i don`t
no other opinion ?
i don`t like that program in my network, and even if is a legit program, here is not welcomed, and i`ve warmed all workstation admins to not use it
so, i want to detect whoever tries to take passwords ( already switched all enterprise passwords 2 times ) , so far only 2 encounters, ... but for the 3rd i want to be more prepared
no symantec employe around?
Check this thread I
Check this thread I started:
https://www-secure.symantec.com/connect/forums/how...
It could help. :D
“Your most unhappy customers are your greatest source of learning.”
Would you like to reply?
Login or Register to post your comment.