Endpoint Protection

 View Only
Expand all | Collapse all

Endpoint Protection Blocks Backup Exec Agent on some IPs

Migration User

Migration UserOct 27, 2012 12:02 AM

  • 1.  Endpoint Protection Blocks Backup Exec Agent on some IPs

    Posted Oct 22, 2012 03:24 PM

    Hi all, I am receiving the following security alert from Symantec Endpoint Protection on my Backup Exec 2010 R3 server:

     

    [SID: 25721]Web Attack: RTMP Type Confusion CVE-2012-0779 2 detected.

    Traffic has been blocked from this application: C:\Program Files\Symantec

    \Backup Exec\bengine.exe

     

    I have received this for a few of my backedup machines and was wondering what the best practice is to stop this from happening.

     

    I would assume the way is to create an application rule for "bengine.exe" in the Symantec Endpoint Protection Manager (SEPM) firewall policy as out lined in this article? http://www.symantec.com/docs/TECH104526 Is this correct? Or is there a different/better way?

    Thank you in advance

    Mike



  • 2.  RE: Endpoint Protection Blocks Backup Exec Agent on some IPs

    Posted Oct 22, 2012 06:33 PM

    This is happening because the IPS signature is firing on it. You can create an exception for this signature:

     

    Creating exceptions for IPS signatures

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55167

    See this for more info on managing IPS as well:

     

    Managing intrusion prevention on your client computers

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55156



  • 3.  RE: Endpoint Protection Blocks Backup Exec Agent on some IPs

    Posted Oct 22, 2012 08:54 PM

    If I allow [SID: 25721]Web Attack: RTMP Type Confusion CVE-2012-0779 in the intrusion perevention policy won't that put my whole organization at risk of the Adobe Flash Player vulnerability outlined in this article? http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25721  



  • 4.  RE: Endpoint Protection Blocks Backup Exec Agent on some IPs

    Posted Oct 22, 2012 10:16 PM

    You can allow only this machine to be excluded from the IPS policy, not all machines.

    Also, is this being flagged during a backup? Backup Exec shouldn't be flagged or creating a vulnerability.

    Have you scanned this machine to ensure it's not infected or determined when exactly this signature fires and what's going on?



  • 5.  RE: Endpoint Protection Blocks Backup Exec Agent on some IPs

    Posted Oct 23, 2012 10:53 AM

    Yes, this happens durring a backup then it kills the backup connection.

    The signiture seems to fire when it gets to the D: volume of this server, C: volume backsup fine. The D: volume has multiple versions of an inhouse software application (maybe this is flagged?)

    I have checked the Endpoint logs and have run scans but everything comes up clean.

    Backup Exec is also setup to run on a seperate IP scheme if this makes a difference.



  • 6.  RE: Endpoint Protection Blocks Backup Exec Agent on some IPs

    Posted Oct 23, 2012 11:04 AM


  • 7.  RE: Endpoint Protection Blocks Backup Exec Agent on some IPs

    Posted Oct 23, 2012 04:43 PM

    That looks like it will do the trick. I will try this out and since this does not happen on every backup job I will let the system run a few days and post back if this fixes the problem.



  • 8.  RE: Endpoint Protection Blocks Backup Exec Agent on some IPs

    Posted Oct 27, 2012 12:02 AM

    Hi Mike,

    Your Problem resolved or not ?

     



  • 9.  RE: Endpoint Protection Blocks Backup Exec Agent on some IPs

    Posted Nov 01, 2012 12:29 PM

    Ashish, thank you for the suggestion I have not received any false positives since applying your fix. Marked as solution.



  • 10.  RE: Endpoint Protection Blocks Backup Exec Agent on some IPs

    Posted Nov 05, 2012 09:46 AM

    Got the same false possitive on friday. Is there a way to "whitelist" the IP address of the server being backedup for just the backup server?



  • 11.  RE: Endpoint Protection Blocks Backup Exec Agent on some IPs

    Posted Nov 05, 2012 09:53 AM

    You can add only this server to the excluded hosts list in the IPS policy. IPS will not apply for this server than. Or you could just remove the component if that is an option.



  • 12.  RE: Endpoint Protection Blocks Backup Exec Agent on some IPs

    Posted Nov 05, 2012 09:56 AM

    HI,

    What sep componets do you have install ?

    If you have install NTP feature try to remove feature in server.

     

     



  • 13.  RE: Endpoint Protection Blocks Backup Exec Agent on some IPs

    Posted Nov 06, 2012 10:37 AM

    I have excluded the IP address of the host being flaged in the IPS policy. I will let this run over the weekend and post back if this corrects the problem.



  • 14.  RE: Endpoint Protection Blocks Backup Exec Agent on some IPs

    Posted Nov 06, 2012 02:56 PM

    @mhartman

    Something that has not yet been covered is the version of SEP you are running.

    In SEP 12, you can have different exclusions for continuous, manual or scheduled scans.

    In SEP 11, that is not the case. If you apply centralised exclusions, they apply to every type of scan. Thus your manual scan might not pick up an infected file if it is in an excluded directory. It might however be picked up when the backup engine is reading the contents of the file. At that time, I guess the infected file is part of the backup engine process & will be scanned which triggers your alert?

    Just a thought. Would be nice to hear from Symantec developers about this.