Endpoint Protection

 View Only

  • 1.  Web Attack: Exploit Kit Variant Activity 2

    Posted Jun 23, 2011 11:00 PM

    Hello,

    We have Symantec Endpoint Protection 11.0.6100.645 installed on our staff's computer, "Network Threat Protection" is enabled.

    We have a Mantis (http://www.mantisbt.org/) setup on our web server in the US for task tracking propose, I believe Mantis use PHP as scripting language.

    Recently, when we browse to this Mantis site, Endpoint will show a warning "Traffic from IP [Web server IP] is blocked from [now's time] to [5 mins later]. [SID: 24141] Web Attack: Exploit Kit Variant Activity 2 detected", so user wouldn't be able to use the site.

    If "Network Threat Protection" is disabled then there is no problem at all.

    Please note that this only started happen recently, no changes were made to our web host server. I wonder if the recent network thread definition may created this false alarm. 

     

    Please help.

     

    thanks so much



  • 2.  RE: Web Attack: Exploit Kit Variant Activity 2

    Posted Jun 23, 2011 11:52 PM

    Hi 

        Check whether you can create a centralized exception for the program or application . It is a temp solution .

    Go to This Website : https://submit.symantec.com/false_positive/

    select the appropriate selection in the website and fill the web submission form .

    They will clear the issue for you . the Symantec security response Team will analyze and clear it .



  • 3.  RE: Web Attack: Exploit Kit Variant Activity 2

    Posted Jun 23, 2011 11:53 PM

    Check this Kb article http://www.symantec.com/docs/TECH132220 .



  • 4.  RE: Web Attack: Exploit Kit Variant Activity 2

    Broadcom Employee
    Posted Jun 24, 2011 12:05 AM

    http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=24141

    uncheck the "automatically block an attackers IP"



  • 5.  RE: Web Attack: Exploit Kit Variant Activity 2

    Posted Jun 24, 2011 10:00 AM

    Hi Jhuang,

     

    If this is a suspected False Positive that you would like Symantec to investigate, please do perform a network capture (generate a .pcap file) of the traffic which is triggering the detection.  Please capture one with the firewall turned on and one with the firewall turned off.  These will be crucial to confirming whetehr or not this is a legiitimate detection or a False Positive.

     

    Thanks and best regards,

     

    Mick

     



  • 6.  RE: Web Attack: Exploit Kit Variant Activity 2
    Best Answer

    Posted Jun 25, 2011 08:59 AM

    Hi,

    there are three possible explanations:

    1) the web server is running a potential risk not related to Mantis

    2) Mantis is doing potential malicious activities (without your awareness)

    3) Mantis is doing potential malicious activities (with your awareness)

    4) SEP is getting a false positive

    Execptions cannot be suggested without indentifing your case.

    To narrow down your issue to one of the above cases:

    1) analyze risk logs and network traffic (as per Mick's suggestion) to indentify the source port of the attack and the process behind it, if it is not Mantis, submit the potential threat to Symantec Security Respose for analyis and definitions

    2) if Mantis is recognized to be the source of the attack, review its documentation or contact its support to verify if it is an expected behavior or not, if it is not expected, Mantis's vendor has to fix it

    3) if Mantis is the source of the attack and it is a known and accepted behavior, you need to create the related IPS exeption

    4) if Mantis is the souce of the attack but it is suspected that SEP is misunderstanding its behavior, you can create a temporary exeption and engage Symantec for a potential false positive.