Endpoint Protection

 View Only

  • 1.  Symantec Using Weak Ciphers for Communication

    Posted Jul 18, 2016 08:45 AM

    I noticed a rather large number of informational notifications in my IPS product for "Weak SSL RC4 Cipher Suites" from client machines to gw03entry01.dis.symantec.com (216.10.195.252).  Based on a quick search, this appears to be part of the back-end submission service.  My question is:  Why is Symantec using a cipher suite that has known weaknesses.  I'm assuming it is so that network overhead is reduced, but I'd prefer that information I share with Symantec be properly encrypted/protected.  Here is the pertinent information from an exemple log entry:

    Event Name:        Weak SSL RC4 Cipher Suites
    Start Time:        08:03:22 18 Jul 2016
    End Time:        08:05:21 18 Jul 2016
    Detection Time:        08:03:22 18 Jul 2016
    Last Update Time:    08:10:24 18 Jul 2016
    Source:            INTERNAL HOST REDACTED
    Destination:        gw03entry01.dis.symantec.com (216.10.195.252)
    Service:        N/A/443  tcp/443
    Direction:        Outgoing
    Accepted connections:    2
    Blocked connections:    0
    Time Interval:        300
    Peak connections:    2
    Total connections:    2
    Attack Name:        SSL Enforcement Violation
    Job Name:        All online jobs
    Event Definition Name:    Generic IPS Event
    Confidence Level:    Medium
    Attack Information:    Weak SSL RC4 Cipher Suites
    Protection Name:    Weak SSL RC4 Cipher Suites
    CVE List:        CVE-2015-2808
    Action:            Detect
    Source Port:        63072
    Performance Impact:    Medium
    Protection Type:    Signature
    Destination Country:    United States

     



  • 2.  RE: Symantec Using Weak Ciphers for Communication

    Posted Jul 18, 2016 08:49 AM

    What IPS? I've not seen this on mine.



  • 3.  RE: Symantec Using Weak Ciphers for Communication

    Posted Jul 18, 2016 11:44 AM

    I think you'll need Symantec to repond as to why they're using RC4.  As you say, this should really be changed.

    Regarding what it is however, the URL seems to suggest it's related to Quarantine submissions and Symantec's Digital Immune System, as indicated by its use in the Quarantine Server:

    http://www.symantec.com/docs/TECH100449

    Perhaps someone on the the internal host trued to submit a file to Symantec Security Response?



  • 4.  RE: Symantec Using Weak Ciphers for Communication

    Posted Jul 18, 2016 01:09 PM

    What product is causing the detection and what version?



  • 5.  RE: Symantec Using Weak Ciphers for Communication

    Posted Jul 18, 2016 02:58 PM

    Check Point IPS Blade (R77.30).  Signatures/database update version 634164764 (Created 7/17/2016)

     



  • 6.  RE: Symantec Using Weak Ciphers for Communication

    Posted Jul 18, 2016 04:12 PM

    There is information on the checkpoint website regarding this issue.

    https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk106478

    You may need to contact them.



  • 7.  RE: Symantec Using Weak Ciphers for Communication

    Posted Jul 20, 2016 10:33 AM

    I don't have an issue with Check Point using RC4.  My issue is that my IPS is showing that my clients are connecting to Symantec back-end services with RC4.