Endpoint Protection

These warnings have been popping up on the task bar for a few days now. I've looked through the local logs but I'm not seeing any useful info on the loacl machine.

Can someone offer some advice on where to look in the logs (or how to configure the logs so I can get more info) so I can sort this out?

The machine is up to date patch wise. I don't know if this is originating on the local network or is external.

It's the Double Pulsar attack:

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30239

You'll want to block the traffic.

Thank you, that's what I thought. I'm unsure where to look in the logs to see where it's coming from. If it's on my network I'd like to sort that out before I block the traffic. I've looked at every log on the Endpoint client that is producing the messages, there doesn't appear to be anything that relates to the pop up messages I see in the task bar.

Every Windows machine on the newtork is patched with MS17-010.

Any sugestion on where to look up that log info would be greatly appreciated.

Hi JMcDowell,

The SEPM IPS logs are where I would start looking.  What's the "Remote Host" listed for those "Unimplemented Trans2 Subcommand" events-? 

Two Reasons why IPS is a "Must Have" for your Network
https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

"Unimplemented Trans2 Subcommand" can be an indication of attempted Double Pulsar-like traffic.  It is also possible to see these from poorly-designed software, I suppose.  I recommend switching this signature from Audit/Log only to "Blocking" unless your investigation reveals that this is in fact some sort of valid SMB traffic for your particular network.

Client security log is generally where these entires are found.