Symantec Endpoint Clients being atacked
brannel01
September 22nd, 2009
When logging into our SEPM console, I'm noticing that we are experiencing, what appears to be attacks on our clients. I've contacted Symantec suport about this issue and they proved that it was our vnc clients that were scanning eachothers ports. So then obviously it appears in our protection manager as an attack. I'm not particularly bothered by it, but was curious how to possibly stop these logs being reported or somehow configure the protection manager to allow the vnc scans. If anyone has encountered a similar issue, I would be most appreciative of your knowledge on the subject.
Symantec Endpoint Clients Logs
Hi,
Thanks & Regards
Sandip C Sali
Hello Brannel
had few issues with related to SEP blocking VNC
the fist thing you might need to do is a centralized exception, if you dont want vnc to be monitored.
https://www-secure.symantec.com/connect/forums/application-errors-vnc-command-status-etc
check this link and create exception for your vnc
Making exceptions using centralized exception policies in Symantec Endpoint Protection Manager.
http://service1.symantec.com/support/ent-security.nsf/docid/2008030423280248
you can do the same by following the below steps too.
monitors
logs
click on risk ( do the same procedure for scan and system until u find your vnc)
once you find your vnc at the top u can add it to centralized exceptions
once these are added, the monitoring will be stopped.
let me know if you have any questions.
Rafeeq
Hi Rafeeq
I've just ran a report log using the Network Threat Protection Logs and specified attacks. It has brought me up a list of machines that have been attacked. These logs include active responses and port scans. Unlike in risk there isnt an option to add anything to the centralized exceptions policy. Do you have any idea?
Thanks
Regards
Chris Kellow
it might be false
it might be false positive...
We are also using VNCs in some of our clients and they are detected as threats...
just need exemptions if you would want VNC as official apps... else you need to disable or uninstall them...
thanks...
Nel Ramos
VNC detected as threat
That basically is whats happening, our protection manager is detecting the VNC port scan as a threat and im unsure of how to disable these logs, because to be honest is not neccessary. I've added a centralized exception specifying the "WinVNC.exe" file in program files as a security risk file and set it to ignore but it's still logging it. I dont want to uninstall the vnc client from the users workstations or the vnc server. Do you know how to disable tose particular logs?
Thanks
Regards
Chris Kellow
Re
Are you using VNC for your servers?
Only for client workstations
Only for client workstations we have VNC installed. We have the VNC server utility installed but only on mine and another colleagues workstation.
Regards
Chris Kellow
Still having issues with VNC clients attacking eachother
Still having issues with attacks being logged on our SEPM. Created a centralized exceptions policy and its still being even though the policy is set to ignore. Any ideas?
Regards
Chris Kellow
Hi
can you create a report and paste the screen shot here.
monitors - logs - network threat protection - attacks.
lets see what exe is generating those attacks..
Rafeeq
Hi
I know the exe thats causing the logs. Its WinVNC,exe. which exists in program files. For some reason I cant get the reports working at the moment. But when it was working, it was showing problems VNC as the culprit for attacks.
Regards
Chris Kellow
Security Log
I'm still having an issue with port scans on some of our clients and users receiving pop ups in notification area. Message reads traffic blocked from IP address.................If anyone can help that would be great.
Regards
Chris Kellow
Would you like to reply?
Login or Register to post your comment.