Endpoint Protection

Hi experts,

Below information was found during I check the NTP attack.

It looks like Microsoft SMB MS17-010 is not patch on the machine.

But, something make me more interested is traffic has been blocked for this application is avast antivirus, so the attack actually is blocked by Symantec? or Avast?

I believe that this computer may have avast installed, which I have no verify yet as the machine locate at different timezone from me.

I'm sorry for my broken english.

best regards,

Loh

Hi 

It was blocked by SEP. This is a detection for attacks  against the smb protocol. The same vulnerability used by wannacry.

You should investigate the remote IP adress. 

My guess is that avast works as a proxy for smb traffic so SEPs logs the traffic with avast as application instead of the OS.

Hi TORB,

Thanks for your reply.

I'm quickly check the remote IP address, and actually it is same for the machine itself base on logs.

Properly full scan, patch MS, remove avast, block 445 port is the next action I should do?

If you've confirmed the machine is patched than it is not vulnerable. Also, what is that remote IP? iI's an internal machie on your network so what is it doing?

Hi Brian,

I think the machine is not patch from what I can see in the list missing MS17-010 patch list.

From the detection info above, the machine IP and the remote IP show the same, that's strange.

The machine is a notebook, so it was use by a user for sure.

Then I'd get a hold of it and get it patched or have it removed from the network until it can be.

Hi Loh,

Definitely get that computer pacthed and secured!  Just adding some information about Wannacry, which exploits that vulnreability:

WannaCry Ransomware
https://www.symantec.com/outbreak/?id=wannacry

Please do keep this thread up to date with your progress!

thanks for your suggestion. I will make sure get it patch.

Hi Mick,

Thanks for more great info sharing.

Hi Expert,

I'm sorry for late reply, I'm away for few days.

Status update:

MS17-010 was patched, but still show some outbound TCP. And, Avast is confirmed install on this machine.

I have request to uninstall it since all the outbound TCP means the attack is from this machine by Avast. But, this need to see how the local admin to contact that user as his feedback is use Avast to scan industry machine computer.

I'm interested that why Symantec can't do the same job, hope that we have the feedback from the users.

By the way, do you guys think this is very critical? Because from the severity level, it is marked critical.

What else I should do if this user refuse to uninstall Avast? Please advise if something I can do?

I'm sorry for the bad english.

Best regards,

Loh

Hi Mick,

I just read the info you sharing.

It looks like with just Endpoint Protection, it is not enough to protect the corporate network to prevent the cyber security attack?

So is SEP blocking this? I can't see from the screenshot.

hi Brian,

Yes, from the main post attachment. It show blocked by SEP.

I'm confused on what the issue is? SEP is doing its job.

Yes, SEP doing the good job.

But, this attack keep flag everyday. So, I wish to solve it and avoid this client have chances to effect the network.

Has the offending machine been removed from the network and addressed or re-imaged? That's the problem.

Hi Brian,

The computer is not remove from the network or re-image, because I think could be remove Avast maybe will fix the problem.

So, I request to remove Avast, and my colleague is in progress working with the user.

Do you think this is a very critical? So, I should report to my IT Manager for fast action like what you say at least remove from the network?

SEP is doing it's job by blocking the attack so you're good here. But you need to get the malicious machine off the network.

Hi Brian,

Thanks for your advise. I will quickly write to check how the status in progress.

By the way, may I know how to mark the problem solve?

I'm sorry I can't find any.

You're welcome. Let me know if you have additional questions.

You can click the 'Mark as Solution' link on the post you want to mark as the solution.

Hi Brian,

Thanks, I can see the mark as Solution button now.