Endpoint Protection

Good afternoon,

First time poster here. If this is the wrong forum, then I apologize. Please let me know where to post this and I certainly will.

Starting on or around May 3rd, several of our end-users (5-10) have received a pop-up in the bottom right of the screen that says, [SID: 23737] Attack: Shellcode Download Activity Detected. For some it happens once in a while, others it's every hour. I saw that Symantec released an article on this (https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23737) but the problem has persisted for every user that I have tried those steps on (disable System Restore, update definitions and run a full system scan). There is another article about that message (https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27086), that says nearly the same thing but it lacks a solution.

I have even tried running Malware Bytes on these machines and I have not found anything there either. The version of Symantec is Version 14 build 1904 (for all users)

I have screenshots of the traffic at the time. It just looks like that machine is trying to ping one of our internal servers and Symantec is shutting it down, I'm guessing because it fears that it's a DDOS attack.

The users are not reporting any other issues with their machines. Symantec finds nothing, Malware Bytes finds nothing.

I am a bit stuck and not sure what to do or what to check from this point on, any advice would be welcomed.

Thank you,

What's the remote IP address of this attack? Have you blocked it at your external firewall? Did you verify the SEP IPS is blocking this via the Security log? If so, nothing was downloaded so there is nothing malicious on the file system. SEP is doing its job by blocking the attack.

I have a similar issue. I was able to pinpoint the cause to Veeam Endpoint Backup. SEP identifies the backup process as an attack. It always blocks the traffic at the same time during the backup. Its a serious problem, because my backups are failing. The interesting thing is, that there are no logs of this "attack" in the SEP client. I tried to veeam itself and the backup target to every exception possible, but I still receive the Shellcode Download Activity popup, and the backup fails. In the backup logs we can clearly see, that it fails because the machine lost connection to the backup target, which is a cifs share. 

Just came across this in my research because I am having the same issue, albeit only on one workstation (for the moment). 

I'm also running VEB, backing up to a CIFS share on a NAS. Looks like the nightly backup triggered the SEP alert, which then reccurs roughly every half an hour. Thing is, neither SEP nor VEB are new-- they've been getting along for six months with no problems.

Wondering if either a recent SEP or VEB update triggered this new problem. I do have VEB set to update automatically. Current version on the affected system is 1.5.0.306, but same version is many/most/all of my other PCs too (have only checked a few).

Anybody know of a fix?

The same for me, using AOMEI Backupper..

SEP identifies the backup process as an attack. It always blocks the traffic at the time during the backup, after ~ 18GB transfer.

Its a serious problem, because my backups are failing.

What we can do? For all, the backup application is runing fine without SEP, so.. we need to change the antivirus provider?

Has anyone put in an IPS exclusion for your backup server?

Thank you, Brian, after adding IP in IPS exclusion list the backup process was ok.

Have a nice day!

Update:

First had this issue last Tuesday, 6/12. Disabled IPS on the affected client for the day to allow Veeam backups to complete. On a lark, re-enabled IPS on the client the next day and all was well again without any further action on my part, so I figured it was a transient problem that had somehow resolved itself.

Everything was fine up until today, Tuesday, 6/19, when the issue has suddenly recurred again. Don't know if it's a merely a coincidence that this problem popped up on consecutive Tuesdays, but somehow I doubt it.

Re: adding an exclusion to IPS, how exactly do you do that? It's not an option in my Endpoint Protection policy, nor do I have a discrete IPS policy that I can edit. 

Just out of curiosity, are IPS signatures updated daily? I'm trying to understand how IPS and a backup app would coexist peacefully for six months, then IPS would suddenly object a backup operation, then be OK with it, then suddenly not again, all on an otherwise stable client.  

Hi WellsM and other stakeholders,

(That sounds liek a SEP IPS event - the best forum for those questions is https://www.symantec.com/connect/security/forums/endpoint-protection-antivirus rather than the Advanced Threat Protection
 forum.)

If this is a suspected False Positive, I recommend following the advice in this article:

Best Practice for Responding to Suspected IPS False Positives in Symantec Endpoint Protection
http://www.symantec.com/docs/TECH233625

Please do keep this thread up-to-date with your progress!

SEP IPS definitions are updated almost every day: new signatures are added, old signatures removed, other signatures tweaked.  For a list of recent SUs, see https://www.symantec.com/security_response/securityupdates/list.jsp?fid=sep

Hi Joe, please have a look to attached screenshot.

I hope it is usefull.

HI,
I have the same issue and i am using self-managed, can get any IPS exclusion within the self-managed SEP? my symantec backup exec keep job failing after upgrade from 12.1 to 14