Endpoint Protection

Dear All,

Today we have received the IPS signature traffic [SID: 30239] Audit: Unimplemented Trans2 Subcommand attack detected but not blocked. Application path: SYSTEM. This traffiic is outbound traffic  intiated from the workstation towards the windows server 2003.

same alert has been triggered on two days back. We have isolated the machine from the network and install MS17-010 patch on that workstation. checked the symdiag logs no threat detection were found. But again same traffic was detected in our environment for same machine.

I am quite sure that the mentioned signature, by default is being allowed in our SEPM IPS policy. 

As per the below Symantec link. For the mentioned signature the severity level is low. But need to investigate why that workstation triggered this traffic. Totally confused. Can anyone help on the same.

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30239

Thanks in advance

Hi S.R.V.Ramanan,

Thanks for the post.  That is an Audit signature, designed to let admins know that questionable traffic is in the network.  I recommend changing that from the default "Log Only" to "Blocking," as this one is often seen when threats or intruders are trying to make use of the EternalBlue exploit. 

IPS responds to traffic that meets its criteria.  SEP does not stop, consider if the computer is vulnerable or not to an attempted exploit, and then let through attempted exploits because of an OK patch level. It sounds like other machines in your network might be infected and unpatched, and that they're trying to spread. IPS will keep protecting you, but find the root of the suspicious traffic and fix it. 

Hope this helps!  Please keep this thread up-to-date with your progress.

Good Day Mick,

Thank you for your valuable post mick. I have open a case with symantec and got the confirmation that signature won't impact the environment.

But really i need to screw up. why this alert has been triggered.

Please correct me if my understanding is correct or not.

1)  That is an Audit signature, designed to let admins know that questionable traffic is in the network. 

it means that symantec endpoint protection has a capability to check traffic inside the network. and find out which machines are vulnerable to the environment.

SEP IPS is host based meaning it only see's traffic to/from the host where it's installed. It can't see traffic network-wide.

A lot of network management is knowing what is normal and what is not in an environment.  Audit signatures are helpful, raising attention about traffic that is not necessarily malicious, but may be abnormal and unwanted. 

For example: Tor is a legitimate tool- its traffic is not inherently dangerous.  However, admins might not want it used in their networks.  Audit signatures for Tor will let them know that someone had installed and is using it.  They can then go block that if they wish or ignore it.

"Unimplemented Trans2 Subcommand" indicates that there is either poorly-designed software communicating in the network or something malicious is going on.  Admins should take action if they do not recognize where this traffic is coming from.

Hi S.R.V.Ramanan,

Just a ping to see if you had any additional questions?  The thread is still marked "needs solution."

Hi Mick,

Again a traffic is been generated from another workstaion to the one more server. As suggested by the symantec I have checked the NTP  and PTP logs nothing have. But that workstaion is not patched with MS17-010. We have installed the patch and no detection were , after that no detection were found.

Since many machines are not properly patched. we are getting this kind for detection.

Thank you so much for giving me clarity about this signature.

So if this signature is triggered again.

1) need to check both the machines are patched with MS17-010

2) check on the affected workstation if there any poorly designed software is being used.

3) May be it would be false alarm

That sounds like a good plan of action.  Definitely do not dismiss these as a false alarm- take action to ensure all patches are applied and any usual network traffic is investigated.

Hi again S.R.V.Ramanan,

Just a ping to see if you had any additional questions?  The thread is still marked "needs solution."

Hi Mick,

I need one more clarification. In your previous comments you have mentioned like  "That is an Audit signature, designed to let admins know that questionable traffic " 

admin means SEPM or SEP.