Quantcast
Channel: Symantec Connect - Security
Viewing all 11471 articles
Browse latest View live

NTP: OS Attack: Microsoft SMB MS17-010 Disclosure Attempt

June 20, 2017, 1:37 am
$
0
0
I do not need a solution (just sharing information)

Hi experts,

Below information was found during I check the NTP attack.

It looks like Microsoft SMB MS17-010 is not patch on the machine.

But, something make me more interested is traffic has been blocked for this application is avast antivirus, so the attack actually is blocked by Symantec? or Avast?

I believe that this computer may have avast installed, which I have no verify yet as the machine locate at different timezone from me.

2017-06-20 16_29_43-C__Users_loh.chee_.siong_Documents_Symantec NTP_eln057 OS attack SMB ms17-010.png

I'm sorry for my broken english.

best regards,

Loh

0
Search

Full IP blocks listed?

June 20, 2017, 2:05 am
$
0
0
I need a solution

Dear Symantec,

It seems that almost our whole AS-number is listed.
The AS-number is as47869.

In particulair 94.228.208.0/20, 109.235.48.0/21, 178.239.48.0/20, 31.171.128.0/22, 37.46.192.0/22.
Is it possible to get these delisted, or let us know the exact reason so we can take actions to make sure it gets delisted again?

Thank you in advance.
Kind regards. 

0

SQL DB migration

June 20, 2017, 3:57 am
$
0
0
I need a solution

How to change the Symantec SQL server database from one server to another server.

0

Webinar June 29, 2017: Advanced Threat Protection for Messaging Gateway

June 20, 2017, 10:15 am
$
0
0
Location: 
https://www.symantec.com/about/webcasts?commid=259917
Time: 
Thu, 29 June, 2017 - 10:00 PDT

Symantec has just released new advanced threat protection capabilities for Messaging Gateway 10.6 based on integration with Symantec's Content & Malware Analysis platform. This new advanced threat defense option for Messaging Gateway provides offloading of messages to Content & Malware Analysis for further inspection and comprehensive malware detonation. 

Join Symantec product managers from Messaging Gateway and Content & Malware Analysis to see demos of this integration in action, and learn more about how this solution addresses today's latest advanced threats through:

  • Advanced scanning and sandboxing to detect and block malicious files and URLs.
  • In-depth threat analysis and summary dashboard-level visibility. 
  • Threat correlation analysis across Symantec Endpoint Protection, Proxy SG and Messaging Gateway.

Register Now »

Don't miss this great opportunity to speak with the product experts of this combined solution and get your questions answered!

 

VIP Access client stopped opening on Windows 10

June 19, 2017, 5:36 pm
$
0
0
I need a solution

I have the last version of VIP Access installed on Windows 10.  It ran fine for a while.  Now when I launch the app, the GUI never opens.  

The same problem happens to an other person on this forum using windows 7pro (see the link below):

https://www.symantec.com/connect/forums/vip-access...

He solved the problem by stopping the "Intel(R) Dynamic Application Loader Host Interface" service, but it does not work for me.

Any suggestion or advice? Thank you

0

On demand symantec DLP scanning on Windows Desktop

June 19, 2017, 10:19 pm
$
0
0
I need a solution

Is there anyway either a tool or Symantec DLP API that can be used to scan a single or multiple files on demand. I already have Symantec DLP client deployed on all machines (Windows 7). Something like:

  1. User selects a file
  2. Right click on the file and click "DLP Scan"
  3. The file is scanned against active DLP policies
  4. Output is either Pass or list of failed policies

Doesnt have to be context menu option - it could be a client application installed on the machine that can then be launched and allow the user to scan the file. Thanks

0

GUP Wannacry infection - corrupt virus definitions

June 20, 2017, 12:11 am
$
0
0
I need a solution

Hello,

We have a total of 6 branches, every branch has a local server(W2008R2) configured as GUP in SEPM(12.1.5 RU5). To provide virus definition updates locally.

We noticed one of our sites wasn't receiving updates anymore, eventvwr of clients showed this log:

Content download to the client failed

Product: SEPC Iron Revocation List 12.1 RU5
Version: MicroDefsB.CurDefs
Language: SymAllLanguages
Moniker: {810D5A61-809F-49c2-BD75-177F0647D2BA}
Sequence: 170618019
Publish Date: zondag 18 juni 2017
Revision: 019
Source: Group Update Provider
Size: 802897 bytes

Running the Symantec diagnostic tool on this client shows Definitions are corrupt.

When connecting to the GUP we noticed this server was affected by the WannaCry ransomware.

We immediately shut down this host (not a critical server) and made another server GUP.

Unfortunatelly clients are not able to download new virus definitions, running the diagnostic tool on the clients resulst in the critical error SEP 14.0 SDS Definitions are corrupt.

Please advice on how we can proceed in updating these clients.

Thanks.

0

Difference between Endpoint Protection and Endpoint protection Cloud

June 20, 2017, 12:23 am
$
0
0
I need a solution

hi, 

Sorry if this is a basic question. Buts its getting hard to understand from website and its difficult to interact with sales reps directly without having a decent understanding. 

As the title says, I am a bit unclear about the difference between the two. We had license for Endpoint Protection (not the cloud) and it is about to expire. Our requirement is simple

- We have a mix of Windows professional (not server), Mac and Ubuntu 14.04 laptops. 

- We need an antivirus to be running on all of them

- We need ways to disable USB ports, cd-drives etc

I glanced at https://www.symantec.com/content/dam/symantec/docs/data-sheets/endpoint-protection-14-en.pdf and https://www.symantec.com/content/dam/symantec/docs/data-sheets/endpoint-protection-cloud-en.pdf and sorry to say but got more confused. The cloud version does not include Ubuntu in supported OS whereas non-cloud version has Ubuntu. I was assuming cloud is the later version and will have everything. 

Could you please advise on what to go with if the above is the need? I also assume there will be some central console running on a server through which we can manage individual end-points. Again someone told me the central console is possible only in cloud version (could be wrong)

Thanks,

Vikram

0
Search

messagelabs.com "Connection timed out" from my mail server

June 20, 2017, 4:25 am
$
0
0
I need a solution

Hi,

I'm trying to send an email to a messagelabs.com address but unfortunately it's being rejected. This is from the logs:

Jun 20 12:00:34 melkor postfix/qmgr[780]: 106FF1D4: from=<XXX>, size=1266, nrcpt=1 (queue active)
Jun 20 12:01:04 melkor postfix/smtp[3072]: connect to cluster3.eu.messagelabs.com[85.158.136.35]:25: Connection timed out
Jun 20 12:01:34 melkor postfix/smtp[3072]: connect to cluster3.eu.messagelabs.com[194.106.220.51]:25: Connection timed out
Jun 20 12:02:04 melkor postfix/smtp[3072]: connect to cluster3.eu.messagelabs.com[85.158.139.3]:25: Connection timed out
Jun 20 12:02:34 melkor postfix/smtp[3072]: connect to cluster3.eu.messagelabs.com[85.158.137.35]:25: Connection timed out
Jun 20 12:03:04 melkor postfix/smtp[3072]: connect to cluster3.eu.messagelabs.com[85.158.136.3]:25: Connection timed out
Jun 20 12:03:04 melkor postfix/smtp[3072]: 106FF1D4: to=<XXX>, relay=none, delay=150, delays=0.09/0.01/150/0, dsn=4.4.1, status=deferred (connect to cluster3.eu.messagelabs.com[85.158.136.3]:25: Connection timed out)

Ths server I am using is a VPS which I know has had spam sent from it in the past (judging by the number of blocklists I had to be removed from), but it should be clean now. Could someone have a look?

This is my server:
melkor.jcowgill.uk.2209INA185.145.46.63
melkor.jcowgill.uk.3156INAAAA2a07:4580:b0d:7b9::1

Thanks,
James

0

DLP Agnet 14.6.1 Windows IS.ead file not being updated

June 20, 2017, 5:15 am
$
0
0
I need a solution

Hi Everyone,

I noticed on my machine that the IS.ead file is not updating. This file is supposed to update whenever an incident is generated. CG.ead and ps.ead are all up to date and working. I am not able to generate an incident in DLP. What may be causing this?

The logs do not say much and it is working on 32bit VDI Windows machine, but not my 64bit Windows 7 machine...

Any ideas?

0

Cannot upgrade SEPM 14 MP1 to MP2

June 20, 2017, 6:00 am
$
0
0
I need a solution

I tried to upgrade SEPM 14 MP1 to MP2 but it rolled back. Then I backup all settings and uninstall all product with cleanwipe tool, after that I try to reinstall but it keep rolled back. so I try to install other version like SEMP 14 or MP1 but the result is the same. I attach SEPM_INST.log . Please help.

My system is Windows 2008 R2 Standard x64.

0

SMTP monitoring

June 20, 2017, 6:22 am
$
0
0
I need a solution

Hi Guys,

I am configuring new DLP new policies to block sharing of confidential information via mail using endpoint monitoring via outlook. The environment already has existing policies that are monitoring and regulating movement of data via mail on outlook through the endpoint. The new policies however are not detecting any incidents via mail on outlook yet we have tried to simulate the incidents.Plus I am using the same response rules and agent configurations that the current functional policies are riding on. What other features could I consider to solve this issue?

0

Support Perspective: TheShadowBrokers and Equation Tools

June 20, 2017, 7:11 am
$
0
0

IMPORTANT: As of June 20th this page is still being updated with additional coverage information. It should be considered a "Work in Progress" 

In April 2017, an attack group calling itself the TheShadowBrokers, released a trove of data it claims to have stolen from the Equation cyberespionage group. The data contains a range of exploits and tools the attack group state were used by Equation. TheShadowBrokers said that the data dump was a sample of what had been stolen from hacking Equation and that the “best” files would be auctioned off to the highest bidder.

The Equation group has been known for some time and uses highly advanced malware tools to target organizations in a range of countries. The group is technically competent and well resourced, using highly developed malware tools that go to great lengths to evade detection.
Shadows Brokers has released this data in a series of dumps. 

Symantec Security response often has coverage for these vulnerbilties and tools well in advance of disclosure, but in an effort to make the coverage more readable these are renamed to represent the events they are assoiciated with.

Lost In Translation
On April 14, 2017 TheShadowBrokers released a collection of files, containing exploits and hacking tools targeting Microsoft Windows.
Later that week Microsoft published a blog stating that most of the exploits that were disclosed in this dump fall into vulnerabilities that are already patched in their supported products.

Exploit NameCVETargeted ServiceIPS Signature NameAV Signature NameAV Signature Date
ETERNALROMANCE-1.3.0CVE-2017-0144Microsoft Windows SMBv1 Service

Sig ID: 30010 (OS Attack: Microsoft Windows SMB RCE CVE-2017-0144)
Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3)
Sig ID: 23737 (Attack: Shellcode Download Activity)
Sig ID: 22534 (System Infected: Malicious Payload Activity 9)
Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution)
Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)

Hacktool20170414.021
ETERNALROMANCE-1.4.0CVE-2017-0145Microsoft Windows SMBv1 Service

Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3)
Sig ID: 23737 (Attack: Shellcode Download Activity)
Sig ID: 22534 (System Infected: Malicious Payload Activity 9)
Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution
Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt

Hacktool20170414.021
ENTERNALSYNERGYCVE-2017-0714Microsoft Windows SMBv3 ServiceSig ID: 30018 OS Attack: MSRPC Remote Management Interface BindHacktool20170414.021
ETERNALBLUECVE-2017-0143 Microsoft Windows SMBv1 ServiceSig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3) 
Sig ID: 22534 (System Infected: Malicious Payload Activity 9)
Sig ID: 23737 (Attack: Shellcode Download Activity) 
Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution)
Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)		Hacktool20170414.021
ETERNALCHAMPIONCVE-2017-0146
CVE-2017-0147
CVE-2017-0148		Microsoft Windows SMBv1 Service

Sig ID: 23624 (OS Attack: Microsoft Windows SMB Remote Code Execution 2) 
Sig ID: 21179 (OS Attack: Microsoft Windows SMB Remote Code Execution 3) 
Sig ID: 22534 (System Infected: Malicious Payload Activity 9) 
Sig ID: 23737 (Attack: Shellcode Download Activity)
Sig ID: 23862 (OS Attack: Microsoft Windows SMB Remote Code Execution)
Sig ID: 23875 (OS Attack: Microsoft SMB MS17-010 Disclosure Attempt)

Hacktool 20170414.021
ECLIPSEDWINGCVE-2008-4250Micorosft Windows Server ServiceSig ID: 23179 (OS Attack: MSRPC Server Service RPC CVE-2008-4250)
Sig ID: 23180 (OS Attack: MSRPC Server Service RPC CVE-2008-4250 2)		Hacktool20170414.020
EDUCATEDSCHOLARCVE-2009-2526Microsoft Windows SMBv2 ServiceSig ID: 23497 (OS Attack: MS SMB2 Validate Provider Callback CVE-2009-3103) Hacktool20170414.020
EMERALDTHREADCVE-2010-2729Microsoft Windows Print ServiceSig ID: 23897  (Attack: Windows Spooler Service CVE-2010-2729)Hacktool20170414.020
ESKIMOROLLCVE-2014-6324Microsoft Windows Kerberos KDCNo Signature AvailableHacktool20170414.021
EASYBEECVE-2007-1675MdaemonSig ID: 30015 (Attack: MDaemon WorldClient Attack)Hacktool20170414.020
ENGLISHMANDENTISTCVE-2009-0099
based on SID		Microsoft Outlook Exchange Web AccessSig ID: 30014 (Attack: MS Exchange Server RCE)Hacktool20170414.020
EXPLODINGCANCVE-2017-7269 Microsoft Windows
Server WebDav
Service 		Sig ID: 29071  (Web Attack: IIS Server CVE-2017-7269)Hacktool20170414.021
EMPHASISMINE-3.4.0CVE-2017-1274 IBM DominoNo Signature AvailableHacktool20170414.020
EWOKFRENZY-2.0.0CVE-2007-1675 IBM DominoSig ID: 21710 HTTP MDaemon IMAP Server Auth BO (not available in SEP only DCS)Hacktool20170414.021

Dont Forget Your Base
On April 8th a missive from the TheShadowBrokers also contained another large batch of files. These are mostly characterised as tools and scripts as opposed to the vulnerbilties as seen in the Lost in translation dump. Additionally items like scripts are easily customizable and altered to impact different targets and to avoid static detection.

All coverage information is based on available virus definitions from June 20, 2017

Tools
Summary
AV coverage
CHARMHAMMER application/x-executableHacktool.Equation
CHARMPENGUINapplication/x-executableHacktool.Equation
CHARMRAZORapplication/x-executableHacktool.Equation
CONSTANTMOVEtext/plain, not maliciousn/a
CRYPTTOOLUnder InvestigationUnder Investigation
CURSEBINGOapplication/x-executableHacktool.Equation
CURSEBONGOapplication/x-executableHacktool.Equation
CURSECHICKENapplication/x-executableHacktool.Equation
CURSECLASHapplication/x-executableHacktool.Equation
CURSEDEVOapplication/x-executableHacktool.Equation
CURSEFIREapplication/x-executableHacktool.Equation
CURSEFLOWERapplication/x-dosexecHacktool.Equation
CURSEGISMOapplication/x-executableHacktool.Equation
CURSEHAPPYapplication/x-dosexecHacktool.Equation
CURSEHELPERapplication/x-dosexecHacktool.Equation
CURSEHOLEapplication/octet-streamHacktool.Equation
CURSEHUMMERapplication/octet-streamHacktool.Equation
CURSEHYDRANTapplication/octet-streamHacktool.Equation
CURSEJOKERapplication/octet-streamHacktool.Equation
CURSEKETTLEapplication/x-executableHacktool.Equation
CURSEKILNapplication/x-executableHacktool.Equation
CURSELIONapplication/octet-streamHacktool.Equation
CURSEMAGICapplication/octet-streamHacktool.Equation
CURSENAGapplication/x-executableHacktool.Equation
CURSEQUAKEapplication/x-executableHacktool.Equation
CURSERAZORapplication/x-dosexecHacktool.Equation
CURSEROOTapplication/octet-streamHacktool.Equation
CURSESALSAapplication/octet-streamHacktool.Equation
CURSESLEEPYapplication/x-dosexecHacktool
CURSETAILSapplication/octet-streamHacktool.Equation
CURSETINGLEapplication/octet-streamHacktool.Equation
CURSEWHAMapplication/x-executableHacktool.Equation
CURSEYOapplication/x-dosexecBackdoor.Equation
CURSEZINGERapplication/x-dosexecHacktool.Equation
DAIRYFARMtext/plain, not malicousn/a
DEWDROPmixedUnder Investigation
DITTOCLASStext/plain, not malicousn/a
DRAFTBAGGERtext/plain, not malicousn/a
DUBMOATmixedUnder investigation
EARLYSHOVELmixedUnder investigation
EBBISLANDapplication/x-executableHacktool
EBBSSHAVEapplication/x-executableHacktool
ECHODOLPHINtext/plain, not maliciousn/a
EGGBARONtext/plain, not maliciousn/a
ELATEDMONKEYtext/x-shellscriptTrojan.Malscript
ELECTRICSLIDEapplication/x-executable
text/x-perl		Trojan.Malscript
​Linux.Trojan
ELEGANTEAGLEMalicious python scripts
Implants		Trojan.Malscript
Linux.Trojan
ELGINGAMBLEapplication/x-executableHacktool
ELIDESKEWText/plain - No samplesNot malicious
ENDLESSDONUTtext/x-pythonHacktool
ENEMYRUNapplication/x-executableHacktool
ENGLANDBOGYText/plain - No samplesNot malicious
ENSAText/plain - No samplesNot malicious
ENTERSEEDtext/x-pythonHacktool
ENTRYMANORText/plain - No samplesNot malicious
ENVISIONCOLLISIONtext/x-perlTrojan.Malscript
EPICHEROapplication/x-executableLinux.Cheepori
EXCELBERWICKText/plain - No samplesNot malicious
EXPITATEZEKEText/plain - No samplesNot malicious
EXTREMEPARRText/plain - No samplesNot malicious
JACKPOPtext/x-perlTrojan.Malscript
MAGICJACKtext/x-pythonLinux.Magicjack
MYSTICTUNNELSUnder InvestigationUnder Investigation
ORLEANSTRIDEapplication/x-executableHacktoo.Equation
POPTOPtext/plain - No samplesNot malicious
PORKapplication/x-executableHacktool
SECONDDATEapplication/x-executableHacktool
SHENTYSDELIGHTapplication/x-executableHacktool
SICKLESTARtext/plain - No samplesNot malicious
SKIMCOUNTRYapplication/x-executableHacktool.Equation
SLYHERETICUnder InvestigationUnder Investigation
STOICSURGEONapplication/x-executableHacktool.Equation
STRIFEWORLDapplication/x-executableHacktool.Equation
SUAVEEYFULapplication/x-bzip2Under Investigation
SUCTIONCHARapplication/x-executableHacktool.Equation
VIOLETSPIRITapplication/x-executableUnder Investigation
WATCHERapplication/x-executableHacktool.Equation
YELLOWSPIRITText/plain - No samplesNot malicious

How to block McAfee Security Scan Plus from Installing

June 20, 2017, 12:20 pm
$
0
0
I need a solution

I am running Symantec Endpoint Enterprise Version 14 and would like to know how I can block McAfee Security Scan Plus from installing when someone tries to download and run it or when it comes with the Adobe Flash Player updates.

How do I setup the rule?

Tim

0
1497990489

SEP SBE Cloud exclusion support for enivronment variables

June 20, 2017, 1:54 pm
$
0
0

Request: Add support for environment variables in exclusions.

Use case: Resources with variable pathing based on environmental variables are difficult to exclude.  As an example resources stored under "%USERPROFILE%\Application\Extensions" would require a static exception for every user in the environment which needs their Extensions folder excluded.

Search

SEP SBE Cloud Custom Exclusions Path Macro support for %USERPROFILE% environment variable

June 20, 2017, 2:14 pm
$
0
0

Request: Add support for %USERPROFILE% environment variable to Custom Exclusions Path Macro.

Use Case: Current Path Macros focus on all user pathing but do not provide coverage for per user pathing.  It is difficult to exclude common resources used by many users which are stored under per user pathing.

Ability to Select Multiple Selection for Computer Mode/ User Mode Conversion

June 20, 2017, 6:43 pm
$
0
0

Currently, you cannot select multiple workstations if you convert it from Computer Mode to User Mode or vice versa.

CCS license for trialware

June 20, 2017, 8:35 pm
$
0
0
I need a solution

Hello,

I am trying to install Symantec CCS with trialware. How can I get license for trialware installaton ?

Thanks

Zaw

0

In case of Email Outbreak for same subject or same attachment name; block emails going to internet

June 20, 2017, 11:27 pm
$
0
0
Method to block the emails going outside the organization in case of email outbreak. Organizations want to block the emails going out to avoid blacklisting the domain on ISP as a result of outbreak
Publish to Facebook: 
No

Problem Statement:

Organizations wants to block the outbound emails which is going outside the organization when outbreak is triggered and allowing inbound email. This is required to avoid blacklisting the email domain on ISP due to email outbreak with same subject or attachment.

As SMSMSE has limitation to bifurcate the email message recipients as external and internal and block outgoing only; to resolve this problem we can leverage exchange transport rule capability in addition with SMSMSE outbreak management and Content Filter Rule.

Steps to apply the solution:

When an outbreak is triggered; for e.g. same attachment name; the attachment name would be updated in match list “Outbreak Triggered Attachment Names”.

  1. Here we have enabled the Outbreak rule to update the match list1.png
  2. Enable CF rule “Quarantine Triggered Attachment Names” for outbound emails only;2.png
  3. Select Action as “Log Only” with “Add X-header(s)” as shown below;3.png

Now we have to create the Exchange Transport Rule to block the outbound emails (Emails going out to internet) using above X-Header value

4. Open Exchange Management Shell and run the following command.

New-TransportRule -Name SMSMSEOutbreakManagement -SentToScope:NotInOrganization -HeaderContainsMessageHeader "X-SymOutbreak" -HeaderContainsWords "Outbreak" -RejectMessageReasonText "Rejected as a result of outbreak"

The Rule would look like in below image in Exchange Control Panel

4.png

Now the entire system is ready to handle the Outbreak and in turn block the emails with outbreak terms going outside the organization.

The NDR email is sent to sender user when an outgoing email is sent with Outbreak triggered term.

6.png

Here we have no limitation of having internal and external recipients in To field. Exchange will take care of blocking only external recipients using Exchange transport rule which we created in step 4.

Work Flow:

For e.g. an Outbreak is configured for Same Attachment Name.

  1. An outbreak is triggered for same attachment name
  2. As configured Outbreak manager would update the match list “Outbreak Triggered Attachment Names”
  3. For further email sent to outside recipient with the same attachment name the CF rule “Quarantine Triggered Attachment Names” would add the X-Header “X-SymOutbreak: Outbreak”
  4. The Exchange transport rule “SMSMSEOutbreakManagement” would block the emails going to external world.

For Subject use “Quarantine Triggered Subjects” CF rule with similar configuration as “Quarantine Triggered Attachment Names”

e.g.

5.png

troubles with IPS updates

June 21, 2017, 12:33 am
$
0
0
I need a solution

After upgrade from 14MP1 to 14MP2, my both SEPM servers can't download/update IPS signatures automatically. There are warnings ID 7201 in event log with "Size(in bytes):-1" in the event text. Any other definitions are updated correctly.

If I download JBD file for IPS manually, update works OK.

Do you think what could I do with it?

Thanks.

0
Viewing all 11471 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>