ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Endpoint Protection and Norton Network Threat Protection/Intrusion Prevention System signature naming improvements

book

Article ID: 153836

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

What is happening?

An Intrusion Prevention System (IPS) is one of the chief proactive protection technologies in use today to keep malware, web-based attacks, social engineering attacks and the latest threats off users systems.  IPS is important both for Symantec's Consumer (Norton) and Enterprise products.  Please see the Connect article Two Reasons why IPS is a "Must Have" for your Network to learn how IPS compliments the AntiVirus and other components of Symantec Endpoint Protection (SEP).
 
To ensure that IT managers quickly understand the category and type of attack and what next steps are required, Symantec has changed all IPS signatures to include a keyword prefix for attacks of a similar category.  The use of keywords will also allow customers to quickly and prioritize events.
 
The following prefixes will be used to identify the type of protection:
  • System Infected:
  • OS Attack:
  • Web Attack:
  • Fake App Attack:
  • Malicious Site:
  • Attack:
 
System Infected:   Threat events with the “System Infected” prefix should be the highest priority events to investigate for breach and malware removal. These events indicate communication we would expect from an active infection.  

Example:  "System Infected: Tidserv Activity": This message indicates communication could be an indicator of a variant of Tidserv attempting to "phone home" or infect other systems.

 
OS Attack: Threat events with the “OS Attack” prefix should be investigated with the second highest priority. These events occurring within an enterprise indicate that while the individual system has been protected. There is still an active infection coming from the Server Bound direction. In other words, there was an inbound attack prevented. Correlation of these events can also easily help you pinpoint where the attack originated.  
Example:  “OS Attack:  MS RPCSS (3)”. This IPS trigger means that IPS blocked an attempt to exploit the MS RPC vulnerability and install malware on the system. You should investigate the originating IP address to determine where infections are coming from.
 
Web Attack: Threat events with the “Web Attack” prefix should be investigated with the third highest priority. These systems were protected from a web-based attack like a drive-by download that attempts to exploit vulnerabilities in the Browser, or browser plug-ins such as a reader, multimedia and ActiveX controls.   Application vulnerabilities being exploited such as Java, Adobe Flash, Adobe Acrobat, Apple QuickTime, would also be included in this category.  No further investigation should be required.    
Example “Web Attack: HTTP Malicious JavaScript Heap Spray”.  This means that IPS protected your system against a Web Attack toolkit attempting to exploit a vulnerability by a drive-by download web attack.
 
Fake App Attack: Threat events with the “Fake App Attack” prefix should be investigated with the fourth highest priority. These systems were protected with IPS from a social engineering Fake antivirus or Fake Codec Attack.  No further investigation is required. Since user interaction is required and is quite common from simple actions like Google Searches and clicking on links on Facebook, these are slightly lower in priority for analysis than the Web Attacks.  
Example:  “FakeApp Attack: FakeAV Installer Download”.  This means that IPS protected your system from a social engineering attack.  In this case, a Fake Antivirus solution that attempted to be installed on an end users system.
 
Malicious Site: Threat Events with the “Malicious Site” prefix should be investigated with the lowest priority.  These systems were protected from visiting a domain, website or IP address known to be malicious. No malicious activity will be able to come from this site as the malicious site event blocked all further communication.
Example “Malicious Site: Malicious Website, Domain, or URL 1”. This means that a known malicious website was prevented from being navigated to. Various malicious content including web attack toolkits or social engineering attacks may originate from these URLs, IPs, or Domains.
 
Attack: Threat events with the “Attack” prefix are the targeted other vectors such as file formats, or additional application vulnerabilities. Examples of such signatures may include other third-party applications that are not browser-based.  
Example “Attack: Microsoft PowerPoint PPT4 RCE”. This means that an attempt to exploit a Microsoft Powerpoint vulnerability was blocked.
 
When did the change happen?
The naming format went into effect in March 2011.
 

Cause

Why were these changes made?

The previous naming convention was confusing and inconsistent. The goal is to allow IT managers and users a better understanding of what occurred by looking at the signature name. The IPS/Network Threat Protection is a very powerful technology blocking tens of millions of variants of malware and social engineering attacks that Antivirus alone is unable to detect – this new naming convention helps IT managers better understand the true types of protection being delivered and how to use it to protect their environments.

 

Resolution

Will it affect me?

The IPS Signature ID stays the same – only the name changes. The client and server operations use only the Signature ID for reporting IPS events; so no action is required from a user perspective. This change affects all Symantec and Norton products that use IPS/Network Threat Protection. This includes Symantec Endpoint Protection and all Norton products. 

Proposed Final IPS Signature Naming Conventions Examples:

Original IPS Signature Naming

Revised Final Proposed IPS Signature Naming

Post Infection:

 

HTTP Tidserv Request

System Infected: Tidserv Activity

HTTP Tidserv Download Request 2

System Infected: Tidserv Download 2  Activity

Fake antivirus

 

HTTP Fake antivirus Redirect Request               

FakeApp Attack: Fake antivirus Redirect

HTTP Fake antivirus  Executable Download

FakeApp Attack: Fake Antivirus  Download

HTTP FakeAV Installer Download Request

FakeApp Attack: FakeAV Installer Download

HTTP Fake Codec Request Generic

FakeApp Attack: Fake Codec Generic

Drive-by download and Malicious Web Attack Toolkits

 

HTTP Neosploit Toolkit Activity 1

Web Attack: Neosploit Toolkit Attack

HTTP Malicious JavaScript Heap Spray BO

Web Attack: HTTP Malicious JavaScript Heap Spray

HTTP Malicious Toolkit Variant Activity 16

Web Attack: Malicious Toolkit (16)

HTTP Phoenix ToolKit Java Applet Activity

Web Attack: Phoenix ToolKit Java Applet

HTTP Suspicious Executable Image Download

Web Attack: Suspicious Executable Image Download

HTTP Acrobat Suspicious Executable File Download

Web Attack: Acrobat Executable File Download

Base OS Attack:

 

MSRPC Server Service BO

OS Attack: MS RPCSS BO

MS RPCSS Attack (3)

OS Attack:  MS RPCSS (3)

MSRPC SrvSvc NetApi Buffer Overflow (2)

OS Attack:  MS RPCSS NetApi BO (2)

Malicious Domain Blocked:

 

 

Malicious Site:  Malicious Domain or IP Blocked

Other Malicious Sites or domains, IPs, or websites that may serve up drive-by downloads or fakeAV

Malicious Site: Signature Name

Attack:

 

MSIE Yahoo! Messenger GetFile Method File Upload

Attack: Yahoo! Messenger GetFile Method File Upload

HTTP Microsoft PowerPoint PPT4 RCE

Attack:  Microsoft PowerPoint PPT4 RCE

 

A list of all IPS signatures can be found the Security Response Attack Signatures site.