You are receiving email alerts for "High-risk Intrusion Detections" with a Targeted Port Number of 0, a blank Targeted Application and a blank Targeted Host Name. You also see intrusion events on the Hosted Endpoint Portal with blank "Attacker URLs", Targeted Port of 0 and "No Data Available" in the Application column.
This only affects Server Operating Systems with the Endpoint Protection Small Business Edition (Hosted) product (SEP SBE(Hosted) -or- SEP SBE.Cloud).
A high-risk intrusion was detected on ComputerName within group Default Group on 9/1/2015 5:26:54 PM. Intrusion Name Attack: an intrusion attempt was blocked. Targeted Application Targeted IP 192.168.0.2 Targeted Port Number 0 Targeted Host Name Status Blocked
Symantec is aware of this issue and will update this document when a solution becomes available. Please subscribe to this article to be notified of any updates.
To work around this issue, review the agent logs to find information about the event.
1. Open C:\ProgramData\Symantec.cloud\Logs\6000\SEPAgent.log (You may need to un-hide hidden directories first: http://windows.microsoft.com/en-us/windows/show-hidden-files#show-hidden-files=windows-7)
2. Search for the following: "an intrusion attempt was blocked"
Things to look for:
localIP="<number>" * (IP of the computer being attacked)
remoteIP="<number>" * (IP address of the origin of the attack)
signature="<signature>" ** (This is the name of the IPS detection)
* The IP addresses are in decimal notation. There are various calculators available online that will convert these values to IPv4 and IPv6 addresses.
** More details on attack signatures can be found with our Security Response information: http://www.symantec.com/security_response/attacksignatures/