Endpoint Protection

Beginning today, I'm receiving quite a few of these alerts, which I haven't seen in the past.  Remote IPs are random and multiple clients are triggering this alert.  I Googled the alert, but didn't find anything.

Anyone know if this is a new detection, if it's likely a false-positive, or any other information?

Thanks much.

Nothing has been reported as far as I know. Can you provide a sampling of some of the IP's that are triggering the alerts?

I am seeing the exact same error starting yesterday at 4:00 PM. This is impacting my public facing webserver. All of the traffic is being reported as coming from my internal firewall.

We are also seeing this today with over 11,000 events in our console which started around 4:45am EST.  I will monitor this thread to see if a new signature was pushed and these are false positives.

Same here...

We are getting this as well. IP is 170.225.15.45 - IBM.

Same here, getting hammered with these alerts. The remote is IP is our proxy server but I can go thru the logs to find the similarities.

Was just about to post but glad to see I'm not the only one...

Our activtiy is also mostly from the proxies.  

So far we've gotten almsot 100 alerts on this. Is it a false positive?

We have seen alot of these attacks today as well. They are showing as outbound.

In my organization is the same.

Any engineer can give us the solution?

The IPs are all over the board; .gov, .com, etc.  Here are a few: 

209-18-42-72.dca20.tbone.rr.com [209.18.41.72]

a184-26-118-211.deploy.akamaitechnologies.com [184.26.118.211]

comsci.gov [129.6.13.45]  

How can we since most of us use proxy servers in our corporate environment? Wouldn't be a lot more useful if the alert would also include the original destination address plus full URL instead of just the proxy server address?

We are seeing this in our organization starting at around 8:35am MDT this morning.  For us, it is when a user tries to view a hosted PDF using Adobe Reader 9.  Downloading the PDF or viewing it with Adobe Reader 10 does not result in the same signature detection.

I'm seeing only 4 systems so far that are triggering these alerts.  This started happening at 6:17am this morning.  No other occurences except for today.

Wondering why these are getting triggered.

Does anyone have any of the captured data attempting to leave these systems (HTTP Header) so we can see why the rule may be triggering?  I are looking to see if we can capture some, but I was not sure if someone has ot already got this.  Maybe someone who has this in log-only and not blocking.

Just noticed this too.  What's interesting is that it is preventing Microsoft Updates from being installed on a Dell e6420 running Windows 7 Ultimate 32-bit and SEP 11.0.605.562 that we just recloned.  I made sure it has the latest AV definitions, which it does.  It's not every MS Update, but these two fail consistently when I try to download and install them.  As soon as I try, Symantec notifies me of the attack with a popup:

[SID: 24454] Attack: Apache and IIS Range Denial Of Service Vulnerability detected.
Traffic has been blocked from this application: C:\Windows\System32\svchost.exe

The two MS Updates that fail are: (Important Updates) KB982018 (7/12/11) and KB2567680 (8/9/11).  Offending IP's are 72.246.30.144, 64.208.186.74, 65.54.81.207, 204.245.63.83, 72.246.30.137, 65.54.81.219, 65.54.81.145   I suspect these are all MS Update server IP's, since that's all we we're trying to do.

Help.

Except I'm only seeing it while trying to run Windows Updates - and it won't let me complete.   I can go to Microsoft and download the update - and can update then.  Just can't use Windows Update.  I don't know if this information helps.

Security response is aware of the issue and is working to confirm the FP.

This signature was published yesterday,  in the following def sets:

·         SEP 12.1:              Security Update 423 20110917.001

·         SEP 11:                   Security Update 147 20110917.033

Please note to first assume that the detection is NOT a FP until it has been confirmed. If you do open a support case please collect PCAPS of the traffic being detected, both with and without the IPS component enabled.

Thank you.

I highly doubt that the MS Updates I am trying to download and install are anything but a False Positive.

I would agree with you but until confirmed our stance has to be to assume that it is not a FP.

We are seeing similar traffic here as well, SEP version 11.0.6005.562

Same here, brand new freshly imaged computer with ONLY Symantec and trying to install MS updates and keep getting blocked. Multiple computers do the same thing.

Endpoint 11.0.6200.754 has this problem

Endpoint 11.0.502.333 does not have the problem

Both have the same definitions.

Anyone with version 11.0.7000.975 or 12.x able to comment on this?

We started seeing this message early this morning as well. Our users tried to view hosted PDFs (using Adobe Reader 9 and 10). The problem would only occur with Microsoft IE 8 & 9. We don't have any issues when using Firefox.

Version 11.0.6300.803 has the issue as well.

We have been seeing the same thing with multiple users. We have SEP 11.0.6* installed and the IP addresses being blocked are everything from web pages (youtube etc.) and even our network drives.

Same issue as OP and others.  We are getting the SID 24454 alert from several different clients from several different offices.  Our offices all have different ISP's.

Some of the IPs triggering the alert are: 209.18.41.72, 184.30.87.224, 64.9.196.43.  One of the users claimed he was on whitehouse.gov when Syamtec alerted him.

Seeing this now on Win XP with newly installed SEP 12.1.671.4971.  Spooky and annoying.

Ok,

I just duplicated error message by going to a WA state website to open up a .PDF using IE7 and Adobe Reader 9 plug in {Opened the .PDF within IE7 browser}. 

1st the error message window popped up from Adobe Reader 9 with the IE7 browser:

" A network error occurred while accessing this document on the Internet.  Would you like to close the document or reload it? " Button in same window to CLOSE or RELOAD

2nd the SEP11 RU6 MP3 client on my Windows XP SP3 virtual machine popped up with the Network Threat Detection event:

[SID: 24454] Attack: Apache and IIS Range Denial Of Service Vulnerability detected. Traffic has been blocked from this application: C:\Program Files\Internet Explorer\iexplore.exe

3rd I clicked on the RELOAD option and the SEP11 RU6 MP3 client on my Windows XP SP3 virtual machine popped up with another Network Threat Detection event that was the same as the 1st.

Anytime I try to RELOAD the SEP11 RU6 MP3 client on my Windows XP SP3 virtual machine pops up with another Network Threat Detection event.

I have been seeing the same message but not Remote IP is listed just 0.0.0.0

Same at my org. multiple users connecting to one of our internal webservers are experiencing this.

Is there a way to set Symantec not to include the proxy server into it's report? I would rather see it reporting on the external address that the client was trying to connect to.

We have experienced these notifications on two computers within our organization today.  The offending IP address was: 65.54.95.58.

One of the workstations attacked was downloading and installing both Windows Updates and Adobe Updates.

The workstation was running Windows 7 64-bit

So far only happening on one Windows XP SP3 machine.  First message appeared when running Windows Updates.

Same issue on our external WEB servers.. We are getting the SID 24454 alert from several different clients on the DMZ..  Not good..

Any answers or ETA?

We were getting this error, while attempting to open a PDF file, from one of our internally hosted servers.  A second user experienced this issue when going out on the internet to view a PDF brochure.

Started yesterday at 12:12:05pm Central time. 

Is it possible that the .PDF files were already infected with new virus, and when launched from with a web browser, are attempting to launch a DOS attack on the very sites that the files came from, except SEP11 is blocking the DOS attack?

I hope that we don't have up to 10 systems infected with viruses now...

Any further updates? We're still getting tons of alerts from SEPM.

Same issue at my company....started yesterday,

all computers running xp SP3

Endpoint Version 11.0.6300.803 --- Up to Date Definitions....seems similar to an issue Mcaffe was having recently....

Epic Fail

I was able to walk someone through right-mouse clicking on a PDF and saving locally and then opening up on that local machine. All was done without getting an IPS alert. We are waiting to get confirmation from Security Response to see what the outcome is

We too are seeing this against many different websites. Internal, external, large corp and small biz websites.

It's not limited to PDF download, but is the prevalent initiator.

Is there a way to back out the 9/17 NTP definitions? At this point, we are already at 98% deployment of these definitions, so too late to stop it going out.

I am having the same issue with XP SP3 running SEP 11.0.6* and IE 7. It is occuring when the client is trying to open any .PDF files from the browser. It gives an Adobe error like stated above and then when the client clicks "Refresh" it gives the SEP error. [SID: 24454] Attack: Apache etc etc . . . .

I too, can have the client right click and "Save target as . ." Need to have a fix though. We run 1200+ PC's on our network, I'm sure it's just a matter of time before it's occuring everywhere.

We are having the problem in Canada, but not our US locations...cant put my finger on it...

Started having the same events in our logs today but from trusted IP addresses.  Need to know if this is legit attack or not.  Don't want to go hunting for ghost.  Any updates would be greatly appreciated! 

Hang tight folks. Security Response is working on this with the highest priority.

I updated the definitions and adobe reader it self to Adobe Reader X 10.0.0.1 on a single machine.....works now

I would wait until Symantec gives the word though.....

To everyone that can't wait for Symantec to fix the issue. Here is a workaround.

It is possible to exlude the specific IPS detection rule.

1. Go to Policies -> Intrusion Prevention

2. Select your IPS policy.

3.Within the IPS policy ->Click Exceptions

4. Click Add

5. Select the IPS rule with SID 2445 and click Next

6. Click Action: Allow

7. Save

Smile and wait for Symantec Fix.

When the fix is in place. Set the action to block again.

Torb

I'm not so sure that I would exclude that IPS rule if it's actually working to block a new DOS attack from a new virus infected .pdf file. I'm waiting to hear back from Symantec before doing that...

So far all of the sites I've seen affecting users have been external, until the most recent one, which I duplicated on the users machine.  It's a .PDF file on our internal web server that triggered the SEP11 intrusion event once we attempted to open with Adobe Reader 9 through the web browser.

My company is also seeing a lot of these errors

One of our employees in AZ is experiencing this when trying to access some specific websites on our web server in DC.  However, I'm in Virginia and am not experiencing the issue when access the same sites.  She initially received the network connection error and a while later received the Symantec Threat Detection error.  So far no other users are having any problems.

Actually, it happens when she is trying to download PDF files from those sites.  Accessing the sites is fine.

Security Response has released LiveUpdate definitions which no longer contain [SID: 24454] Attack: Apache and IIS Range Denial Of Service Vulnerability detected”.

For SEP 11

Security Update 424       NTP September 20, 2011 rev 1

For SEP 12

Security update 148        NTP September 20, 2011 rev 30

These sets are now replicating to the LiveUpdate servers.

Thank you.

Thanks for letting us know...

Latest release is now working for us.  Thanks!

Cameron,

I notice you state that the SID 24454 is no longer contained in the latest definitions, which I do see updated on the SEP server right now.  However, do you mean that the SID was removed as a threat completely, or that it was corrected in that it will only truly prompt when the SID 24454 actually is a threat?  I am asking because I fear that this SID will be treated as a threat in the future when/if it is re-released in a later definition(s) file.  Please clarify.

Thanks for your time.

Will there be an official statement released by Symantec Security Response on this? I'm probably going to need to explain this particular detrimental event during the next budget renewal meeting.

Could have been worse, it could have deleted important Windows system files :D

Doubt it. It's a false positive, it happens...

Hi,

I recommend to contact your local Symantec support. There has been confirmed to be a possible weakness that can be used for DoS and they're sending out workarounds for this one. It affects SEPM 12.1. Released last Aug 24.

No workaround on the 11.x clients as they're not affected.

Cheers