SSIM 4.6.1.24 and Symantec Endpoint Protection
Updated: 23 May 2010 | 5 comments
SSIM Version: 4.6.1.24
SEP Version: 11
Symptom: Many "Trojan Connections" incidents appear everyday.
Most Target Resource:
1) C:/WINNT/system32/LSASS.EXE
2) C:/WINDOWS/system32/lsass.exe
3) C:/WINNT/system32/dns.exe
4) C:/WINDOWS/system32/dns.exe
Destination Port Range: 1024 to 65432
Most of incidents look like normal traffic, and just match the known port list so that the incident pop up
How can customize the orignal rule set to reduce it, or any other suggestion
Discussion Filed Under:
Comments
You can not change default
You can not change default rule set. But you can copy as template then customize the rule as your need. And don't forget to disable the old one.
Aggregation
You can think about using aggregation on the SSIM collector, or configure SEP to aggregate these events as well.
http://service1.symantec.com/support/ent-gate.nsf/...
What is the benifit to having
What is the benifit to having this rule trigger on Internal -> Internal traffic? Escpeically since firewalls always got directions mixed up? can't the default rule add "Connection = Outbound" via Live Update to tune the rule to more accurate traffic?
What I do is edit that rule
What I do is edit that rule to reflect external traffic just like you mentioned. Also take a look at the trojan list of ports, and remove things that have been validated as false positives within your environment.
Before any of this works, you
Before any of this works, you need to make sure you define your networks, if you only have the 3 default networks setup a lot of rules will trigger when they should not. Right afterinstalling SSIM, one of first task should be to set up all the subnets.
Laurent
Would you like to reply?
Login or Register to post your comment.