Endpoint Protection

We are using SEPM 11.0.6. We have a server that is continually being attacked. We understand that Symantec is doing its job and blocking the attack, but is there any way to get it to stop happening?

We're going on 5 straight days of attacks. It would've been more, but we shut the server down over the weekend.

It seems to be the same 4 attacks over and over with different IP addresses: OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250, OS Attack: MS Windows Server Service NetAPI CVE-2006-3439, OS Attack: MS RPCSS Attack CVE-2004-0116 2, and SMB Guest Login.

We tried to install all the Microsoft patches listed in the various articles, but it didn't seem to help. Is there anything else we can do to stop the attacks?

The key thing to realize here is that the IPS detections are usually on the machines being attacked, not on the machines that are doing the attacking... so installing the patches is a good thing because it means your servers won't be vulnerable, but the patches do nothing to stop the attacks from happening.

In an example, when a burglar (attacker) has the keys to your door, you can change the locks (patches) to keep him out. The house (attacked computer) is safe but the alarm system (SEP) will still sound when the burglar puts the old key in the new lock. The important thing is to find the burglar's hideout (attacking computer) and get it shut down so it can no longer launch burglars.

The Network Threat Protection logs will tell you just about everything you need to know (which machines are attacking, for example). Export them and view in your favorite spreadsheet program. Make sure to run full system scans with SEP and the latest defs.

You can use the Microsoft Baseline Security Analyzer (http://technet.microsoft.com/en-us/security/cc184923) to scan all of the machines involved. 

Details on the individual threats that are being detected can easily be Googled for more details.

Is it possible to post the logs?

Other than patching the sources as suggested by Ryan and yourself. Check the logs of these attackers. They may have a persistent malware executable stored in them. You could separate them into a group with stricter polices and limited services allowed in the firewall.

Hello, 

Please check this:

Take a close look at the logs you're reviewing where you see these alerts...if the IP address(es) are external, there's not much you can do...the nature of the internet is to allow unsolicited attempts for communication.

If the communications are coming from external sources, you can certainly block those IP addresses at the perimeter firewall, and other things such as leveraging intrusion prevention (assuming you've got that, or it's part of the perimeter firewall).

If the attacks are coming from WITHIN your network, you'll need to do some seluthing to get to the bottom of what's actually attacking and deal with it.  My gut, however, leads me to believe that your logs show external IP addresses.

Script kiddies out there are constantly running programs that will try to use exploits on machines...odds are low that you're specifically being targeted.

If the IP addresses in the logs are external to your network, the only way you can completely block the alerts is to configure your perimeter firewall to not allow incoming external traffic to this machine...which, I suspect, would completely negate the usefulness of the server itself.

Thanks for all the suggestions. We did install the patches and we've been checking the logs. This is a web server so we have to allow incoming external traffic to the machine. The IP addresses are external, so there's not much else we can do. At least Symantec is blocking the attacks.