Hello friends,
As a security administrator in my organization I can see a rising trand of JSCoinminer events
These events are users surfing to a web page which is infected with a malitious script
Unfortunatly you will not know about this at all as the default configuration in the SEPM is to ALLOW and NO LOG
This is the event:
15/02/2018 12:42:20
Browser Protection Major and above 1
DOM AVMAIN My Company\Workstations\Domain Computers
CEO 10.0.0.10 Windows 10 Enterprise Edition
CEO Default
Other Inbound
Not applicable Not applicable
[SID: 30358] Web Attack: JSCoinminer Download 8 attack blocked. Traffic has been blocked for this application: C:\Program Files\Internet Explorer\iexplore.exe
You need to go to your IPS policy --> Windows Settings --> Exceptions --> ADD
If you filter for action Allow you will see many interesting signatures, I really recommend checking them out by enabling LOGGING to see
if you have such traffic. You can see 3 JSCoinminer options.
Plus, you can detect TOR,IRC,P2P, PSExec traffic and many more which I block inside my network using these options
Good advice, above!
Just adding a link to this article, which contains additional recommendations:
Coinminer protection and removal with Symantec Endpoint Protection http://www.symantec.com/docs/TECH249302
Hi,
One thing to comment here is that your initial detection for [SID: 30358] Web Attack: JSCoinminer Download 8 was likely already set to Block+Log because it isn't an audit signature like the ones you highlighted. Audit signatures are usually not set to block and log as they can be noisy, thus it is up to the admin to determine if there is a need to create an exception for them. Below is the current list of signatures for JSCoinminer that are set to block (Web Attack). Hope it helps.