Hi Team,
We are using 14.0.3929 verion in our environment along with ATP version 3.1.0-678 . From the last couple of days we are getting this alert in ATP:
| 2018-07-18 14:21:59 UTC |
4124: Endpoint (IP/URL/Domain) Detection
|
|
|
| app_name |
|
C:/PROGRAM FILES/INTERNET EXPLORER/IEXPLORE.EXE
|
| categories |
|
Attack
|
| data_source_url_domain |
|
|
| deepsight_domain |
|
notavailable
|
| description |
|
|
| device_ip |
|
172.*>*>*
|
| device_name |
|
hostname |
| device_time |
|
2018-07-18 14:21:59 UTC
|
| device_uid |
|
39c4147
|
| domain_name |
|
abc |
| event_desc |
|
[SID: 30529] Web Attack: Fake TechSupport Domains 2 attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
|
| event_id |
|
206: Intrusion detected
|
| external_ip |
|
172*>*>*
|
| host_name |
|
hostname |
| infected |
|
false
|
| intrusion_url |
|
www.bing.comwww.bing.com:443
|
| local_host_mac |
|
000000000000
|
| log_time |
|
2018-07-18 14:25:06 UTC
|
| network_protocol |
|
2: TCP
|
| remote_host_mac |
|
000000000000
|
| severity |
|
3: Critical
|
| sid |
|
30529
|
| signature_id |
|
30529
|
| signature_name |
|
Web Attack: Fake TechSupport Domains 2
|
| symc_device_action |
|
1: Blocked
|
| time |
|
2018-07-18 14:21:59 UTC
|
| timezone |
|
UTC
|
| traffic_direction |
|
1: Inbound
|
| type_id |
|
4124: Endpoint (IP/URL/Domain) Detection
|
| user_name |
|
60891
|
|
Could you please explain what this attack actually means? Bing.com is blocked already in this environment .
Regards,
Jagadeesh