After installing Symantec Endpoint Protection 11.0, you see a pop-up saying '[SID: 21631] Alexa User Info Tracking detected.'

Symptoms

1. A pop-up above system the tray saying 'SID 21631 Alexa User Info Tracking detected.'
2. On SEP Client > View Logs > Client Management > Security Log, you see Intrusion Prevention events regarding Alexa.

Users receive these pop-ups and events when they install Alexa Toolbar on their Internet Explorer or Alexa Sparky (or SearchStatus, etc.) plug-in to Mozilla Firefox. Alexa toolbars are recognized Trackwares (named as Trackware.Alexa) by Symantec Security Response. They gather Internet browsing and search information and submit this information to Alexa.

· Log in to the Symantec Endpoint Protection Manager (SEPM) console.
· Click on the Policies tab.
Click on Centralized Exceptions under View Policies.
Click on Add Centralized Exceptions Policy under Tasks.
Click on Centralized Exceptions > Click on the Add button > Security Risk Exceptions > Known Risks.
Check the box next to 'Trackware.Alexa'.
Check the box next to 'Log when the security risk is detected'.
Click on OK to save the policy.
· Click on the Policies tab.
Click on Intrusion Prevention under View Policies.
Click on Add an Intrusion Prevention Policy under Tasks.
Click on Exceptions > Click on the Add button > Hold down the Ctrl key and click on 21631 and 21632 > Click on the Next button.
Change the Action drop-down selection to 'Allow' and the Log drop-down selection to 'Log the traffic.'
Click on OK and then OK again to save the policy.
· Update the policies on any affected clients.

Technical Information

http://www.symantec.com/security_response/writeup.jsp?docid=2004-062410-3624-99