Endpoint Protection

 View Only
Expand all | Collapse all

SEPM Security Breach

ℬrίαη

ℬrίαηOct 13, 2014 03:33 PM

PraveenAyappan

PraveenAyappanMar 06, 2015 05:54 AM

ℬrίαη

ℬrίαηMar 06, 2015 06:05 AM

  • 1.  SEPM Security Breach

    Posted Oct 13, 2014 03:31 PM

    We received alerts today that there was a "Security Breach Detected" on our SEPM servers.

    Here is the alert:

    Message from:

            Server name: sepm

            Server IP: x.x.x.x

    Security breach: suspicious activity from SEPM was detected on Symantec Endpoint Protection Manager x.x.x.x. Check the log files for details.

     

    I am wondering what logs it is refering to??

     

    Thank you!



  • 2.  RE: SEPM Security Breach

    Posted Oct 13, 2014 03:33 PM
    Check the security log


  • 3.  RE: SEPM Security Breach

    Posted Oct 13, 2014 03:45 PM

    I am not seeing anything abnormal in there, just logon and logoffs.  It appears to have something to do with logging in with the Java console.  The alert we received specified the IP address of a machine that was connecting to the SEPM via the Java console.



  • 4.  RE: SEPM Security Breach

    Posted Oct 13, 2014 03:59 PM
    I meant security log on SEP client. Do you run IPS on the SEPM? If so some older versions had a known vulnerability so perhaps this is the problem.


  • 5.  RE: SEPM Security Breach

    Posted Nov 19, 2014 05:50 PM

    Same issue here for us, and we are not running IPS on SEPM.



  • 6.  RE: SEPM Security Breach

    Posted Nov 19, 2014 11:14 PM

    I have received the same email alert when i logged into SEPM console through via  Java console on my desktop. (buth my desktop & Sever SEP clients are 12.1.5).



  • 7.  RE: SEPM Security Breach

    Posted Nov 20, 2014 10:12 AM

    Thats strange. Did you find any information on the log? If not, run symhelp .. Should give you an idea.

     



  • 8.  RE: SEPM Security Breach

    Posted Nov 20, 2014 10:16 AM

    Funny thing with this alert is there is no information in any log anywhere on the SEPM or SEP client. I had it come up a few weeks ago and couldn't find a single entry for it. It dropped off my radar since but a support call may be the best option at this point.



  • 9.  RE: SEPM Security Breach

    Posted Nov 25, 2014 08:10 AM

    I just had this exact same error. I thought it might be a new notification as I upgraded to RU5 yesterday but the only log i can find is this in the system log:

    Untitled.png

     



  • 10.  RE: SEPM Security Breach

    Posted Nov 25, 2014 08:27 AM

    Personally, I open a case and send this to them. It has to be something new in RU5. I've seen it once since we upgraded but couldn't find a single log. Although I never checked under the Admin tab. There has to be something on this somewhere or a meaning.



  • 11.  RE: SEPM Security Breach

    Posted Nov 26, 2014 10:49 AM

    I have more info and the answer to this question.

    This is new for 12.1 RU5, is not a configurable alert as it is built-in, and cannot be disabled.

    It encompases two checks:

    1. Request Authorization failed - Beginning with SEPM 12.1 RU5, the SEPM performs a server-side authorization check on each incoming request to ensure that the privileges needed for the operation in the request are assigned to the administrator in the session.                                                                                                       
    2. Request Tampering detection - Included is a request signature with each incoming request and the server validates this signature.


  • 12.  RE: SEPM Security Breach

    Posted Mar 06, 2015 05:54 AM

    Guys any update on this ?



  • 13.  RE: SEPM Security Breach

    Posted Mar 06, 2015 06:05 AM

    The answer is what I posted right above.



  • 14.  RE: SEPM Security Breach

    Posted Mar 19, 2015 08:30 PM

    Check in scm-server-0.log for any exceptions:
    2015-03-19 11:28:25.705 THREAD 355 SEVERE: AuthorizationProcessException encountered

    Additional data may appear in stdout-0.log. You can also query the webservice audit view in SQL (V_AUDIT_LOG) for more details. Please log a support case if you require further assistance.

    -Shawn