Endpoint Protection

Hi Everyone,  Running Symantec 11.0.2 on primary AV server as well as on my exchange server.  Exchange server traffic is being blocked by Symantec on the AV Server, stating that a Jolt2 Attack (Denial of Service) is in progress.

I have looked up this vulnerability on the web, since SARC doesn't show any details, and the attack has been patched for many years...

Why would this be coming up now, and how do I stop it from causing poblems (AV server is also one of 3 DNS servers in domain). 

Thanks in advance,

Ken

Is you  AV server patched?

Even though a vulnerability has been patched, that doesn't mean the attack can't still be attempted. Yes, it will not work but it can still be attempted.

I see Conficker attempts on our network, even though we are fully patched against it.

Also, the latest version is RU6 MP2 (11.0.6200) I would suggest upgrading as you are pretty far behind in versions.

AV Server is running version 11.0.5.333 I think, might have the last 3 digits wrong.  Anyway, yes, both servers are fully up to date on Microsoft updates, and I have updated the AV on the Exchange server now to match the AV Server, thought this would do it automatically, guess I missed something.

Anyway, running fully system scan now to see if anything turns up.

If Exchange server traffic is being blocked by Symantec on the AV Server, stating that a Jolt2 Attack (Denial of Service) is in progress , there is no point in scanning the AV server....if anything, you must scan your  exchange  server...since that's the one that is showing as the  attack source...

Do you only have the Antivirus/Antispyware component installed or Network Threat Protection as well?

It sounds like the IPS is blocking this (assuming you have Network Threat Protection installed) since it is a DoS attack.

You can check the logs on the client under View Logs >> Client Management >> Security Log

This should give more info as to what is happening but it sounds like it is being blocked in which case SEP is doing its job and no further action is needed other than to try and determine where the attack is coming from and stop it.

Upgrading is the given solution as the Jolt2 Attack detection is a bug which was fixed with the release of RU5.  There is no workaround to prevent this .  It is always a best practice to ensure SEP - all software - is kept patched, and up to date.  

Is you  exchange  server, also your  Altiris server?

@vasu - of course I'm scanning the exchange server.

@Brian, yes, trying to stop the source.  That was the point of the post.

@vasu, no we do not use an altiris server. 

Then in the logs it will show the IP the attack is coming from

By the way, the scan with newest definitions shows nothing.  I haven't seen the pop-up on the AV server again either, will maintain watching and update if I do.

Yes, it does.

The attack is coming from the exchange server.

Was that not clear in the original message?

Upgrading client  on AV server, might have fixed  it (if  it  did)