High-risk intrusion detections for Port 0 with blank Targeted Application and Host Name fields

book

Article ID: 162338

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

You are receiving email alerts for "High-risk Intrusion Detections" with a Targeted Port Number of 0, a blank Targeted Application and a blank Targeted Host Name.  You also see intrusion events on the Hosted Endpoint Portal with blank "Attacker URLs", Targeted Port of 0 and "No Data Available" in the Application column.

This only affects Server Operating Systems with the Endpoint Protection Small Business Edition (Hosted) product (SEP SBE(Hosted) -or- SEP SBE.Cloud).

A high-risk intrusion was detected on ComputerName within group Default Group on 9/1/2015 5:26:54 PM.

Intrusion Name
Attack: an intrusion attempt was blocked.

Targeted Application

Targeted IP
192.168.0.2

Targeted Port Number
0

Targeted Host Name

Status
Blocked

Resolution

Symantec is aware of this issue and will update this document when a solution becomes available.  Please subscribe to this article to be notified of any updates.

To work around this issue, review the agent logs to find information about the event.

1. Open C:\ProgramData\Symantec.cloud\Logs\6000\SEPAgent.log (You may need to un-hide hidden directories first: http://windows.microsoft.com/en-us/windows/show-hidden-files#show-hidden-files=windows-7)

2. Search for the following: "an intrusion attempt was blocked

Things to look for:

localIP="<number>"  * (IP of the computer being attacked)
remoteIP="<number>" * (IP address of the origin of the attack)
signature="<signature>" ** (This is the name of the IPS detection)

* The IP addresses are in decimal notation. There are various calculators available online that will convert these values to IPv4 and IPv6 addresses.
** More details on attack signatures can be found with our Security Response information: http://www.symantec.com/security_response/attacksignatures/