Endpoint Protection

Hi,

I am recieving repeated alerts about the 'Backdoor.Adwind detection- SID: 28846' and a traffic block message for traffic from 185.17.1.241(alert attached). 

Referreing to the below article, I have tried running the Symantec Power Eraser-SymDiag Tool and Norton Power Eraser. However, I am still recieving the alerts twice in one minute. I understand that Symantec is able to detect the malware, but I am trying to find out what is the source of the malware and how to stop the alerts permanently. 

https://www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3

Thank you.

Regards,

Apurba

Hi Brian,

It is the Incoming Traffic that is being blocked. Yes, SEP is working and blocking the attack, however I wanted to know if the attack can be blocked permanently as the alerts are too frequent now.

Thank you.

Regards,

Apurba

Yes, you can block at your external firewall if you wish.

Hi Apurba,

this ip seems be from Russia. and the Google search points that it is of an hackers. Though SEP is fully blocking it I would suggest you to block the IP at the perimeter level.

Thanks guys, I have been trying to block the IP, but it seems the IPs are changing everytime. The good news is, I have not recieved any alert since this morning. I might have to keep a track of the IPs and block them on the external firewall.

Regards,

Apurba

If the IPs are coming from a a specific country than you can blacklist that country's IP range, that is of course if your company does not have a business need with said country.