Endpoint Protection

 View Only

  • 1.  Popup

    Posted Jul 23, 2010 01:27 PM
    client recieving a popup in SEP 11.0.6a:

    traffic from ip address 91.212.226.7 is blocked from 7/23/2010 11:49:02 AM to 7/23/2010 11:59:02 am [SID: 23615] HTTPS Tidserver reqeust 2 detected.

    I would like to know how to correct this on the client machine which is running xp pro sp3.


  • 2.  RE: Popup

    Posted Jul 23, 2010 01:44 PM

    If that is inbound traffic then it's IPS doing its job.  Do you mean you want to hide the alerts?

    Any outbound connections would be more concerning, as it would mean the machine was probably infected.

    sandra


  • 3.  RE: Popup

    Posted Jul 23, 2010 02:30 PM
    It also might be a good idea to see if anything is sending out a request to that IP address. Its possible you have a downloader on the machine that is reaching out.

    You could also add that IP range to your firewall block list just in case.


    John Prince


  • 4.  RE: Popup

    Posted Jul 23, 2010 02:56 PM
    this is a client pc that just started to get these popups i don't know if it is outbound inbound??
    What should it do??

    Thank you!


  • 5.  RE: Popup

    Posted Jul 23, 2010 03:15 PM

    The logs should tell you in which direction the traffic is moving.

    sandra


  • 6.  RE: Popup

    Posted Jul 23, 2010 03:29 PM
    Appears this machine is infected.

    It is currently physically residing in Australia according to a trace, when really, it is on a Russian Network. 
    More information here: http://www.ip-adress.com/whois/91.212.226.7

    The message is traffic INBOUND is being blocked.

    The system is running an E.mail or Proxy server over a secure HTTP connection (https).

    NGINX 0.8.36

    Also, this IP address has been flagged many times as a Zombie, SPAM BOT, Virus host and distributor.

    Likely on many blacklists and RBLs.

    Thank Symantec for heeding the potential infection into your network...


  • 7.  RE: Popup

    Posted Jul 24, 2010 11:35 AM
    Okay?? So i'll run some AV, spyware scans in safemode check proxy and registry settings. How could this get through Symantec AV?????????????

    Thank you Jason!!


  • 8.  RE: Popup

    Posted Jul 25, 2010 02:46 AM

    Make sure you have updated all the patches available



  • 9.  RE: Popup

    Posted Jul 26, 2010 10:45 AM
    updated patches on what SEPM? how do i do this on sepm?


  • 10.  RE: Popup

    Posted Jul 26, 2010 12:00 PM

    I think Acretian means patches for OS, third-party (such as Adobe), etc.

    sandra


  • 11.  RE: Popup

    Posted Jul 26, 2010 12:45 PM
    The infected machine is the one located at the address 91.x.x.x, not the one on your network.

    Symantec actually prevented your machine from being infected.  Should have clarified that one.

    Sorry about the confusion.