Endpoint Protection

 View Only

  • 1.  Intrusion prevention - System is clear

    Posted Oct 30, 2018 01:51 PM

    Hello,

     

    for a few days now, one of our servers is beeing attacked on Port 443, or at least what SEP says:

     

    Name of IPS:

    Attack: an intrusion attempt was blocked.

     

    Status:

    Blocked

     

    Signature:

    System Infected: Trojan.Naid Activity 2

     

    Attacked:

    System

     

    Attacked Port:

    443

     

    We already checked the registry, for the files and the services like it is written here, but we can't find anything on the system. The services AppMgmt and BITS do exist, but they are disabled/set to manual. A full scan isn't able to find anything suspicious on the machine either.

    Any suggestions or ideas on how to fix this?

     



  • 2.  RE: Intrusion prevention - System is clear

    Posted Oct 30, 2018 03:55 PM

    In past, there were a few signatures that were incorrectly being triggered. If your analysis is not turning up anything then it may be best to contact support to let them know. If this is an external facing server then the traffic could actually be inbound as opposed to outbound and the signature needs to be adjusted in some way.



  • 3.  RE: Intrusion prevention - System is clear

    Posted Oct 31, 2018 03:30 AM

    I just checked my mailbox again. Seems a few more servers are affected by that issue. All of those servers are reachable from the internet. Always the same signature and the same port. Nothing in the files or registry thought. Guess I'm going to contact the support here.



  • 4.  RE: Intrusion prevention - System is clear

    Posted Oct 31, 2018 05:27 AM

    Same here. Only one external remote IP seen. Direction Outbound which doesn't seem accurate. Intrusion URL: 127.0.0.1/10



  • 5.  RE: Intrusion prevention - System is clear

    Posted Oct 31, 2018 05:51 AM

    Hello all,

    If you feel this may be an IPS False Positive, please do collect a .pcap and submit it to our False Positive team.  Full details can be found in:

    Responding to Suspected IPS False Positives in Symantec Endpoint Protection
    http://www.symantec.com/docs/TECH233625



  • 6.  RE: Intrusion prevention - System is clear

    Posted Nov 06, 2018 09:20 AM

    Just a ping to see if anyone is still seeing these-?



  • 7.  RE: Intrusion prevention - System is clear

    Posted Nov 06, 2018 02:49 PM

    @Mick2009 So far nothing popped up yet. Still waiting for a reply from the SEP Support.



  • 8.  RE: Intrusion prevention - System is clear

    Posted Nov 07, 2018 06:14 AM

    Hi Eduard,

    Feel free to PM me the case number and I will have a look from this side.



  • 9.  RE: Intrusion prevention - System is clear

    Posted Nov 22, 2018 11:59 AM

    Hey Mick2009,

     

    sorry for the late reply. We are using SEP Cloud via a third party provider. They had to open the ticket for us. Just got an E-Mail from the provider (no case number provided): There is no reply from Symatec yet.