Endpoint Protection

 View Only

  • 1.  SEPM HIPS detected OS Attack: Microsoft SMB MS17-010 Disclosure Attempt

    Posted Nov 02, 2017 01:42 AM

    Hi Team,

    I get an alert on SEPM IPS with the below signature

    OS Attack: Microsoft SMB MS17-010 Disclosure Attempt

    the interesting thing about this alert is the remote host shows internet IP range.

    But none of the internal IP belongs to our org.

     

    How to go ahead about this, any suggestions are welcomed.

     

    Thanks

     



  • 2.  RE: SEPM HIPS detected OS Attack: Microsoft SMB MS17-010 Disclosure Attempt

    Posted Nov 02, 2017 01:36 PM

    SEP is blocking the attack but I would suggest blocking the external IP at your gateway firewall.



  • 3.  RE: SEPM HIPS detected OS Attack: Microsoft SMB MS17-010 Disclosure Attempt

    Posted Nov 03, 2017 01:23 AM

    Hi Brian,

     

    As mentioned earlier the remote IP in the logs are all internal IP's not sure how to go ahead with this, if there were any external IP i would have went ahead and blocked it.

     

     



  • 4.  RE: SEPM HIPS detected OS Attack: Microsoft SMB MS17-010 Disclosure Attempt

    Posted Nov 03, 2017 06:55 AM

    Regardless, what is the internal IP doing? Did you investigate it? It should still be in your DNS your have a hostname. At the very least attached to a switch port which can be shut down,