topic Re: Spyware Infect Host report from P.A. in General Topics

Spyware Infect Host report from P.A.

wrainwater — Mon, 20 Nov 2017 13:45:20 GMT

I just got a spyware infected host report that says something like

Destination address | Destination Host Name | Count

X.X.X.X hostname.domain.com 2.94k

X.X.X.X hostname2.domain.com 1.44k

X.X.X.X hostname3.domain.com 681

Some of the hostnames are pretty important servers, so this has me worried about. Can anyone tell me what the report is telling me? Are these servers infect with spyware and the spyware is sending that much data out?

Re: Spyware Infect Host report from P.A.

BPry — Mon, 20 Nov 2017 15:46:45 GMT

@wrainwater,

Additional information would be helpful. Are these servers actually your internal servers, or external servers that your users are accessing.

If you access your Threat logs and filter on ( subtype eq spyware) you'll be able to see the logs for what is triggering this report. What exactly is being picked up on this report?

Re: Spyware Infect Host report from P.A.

wrainwater — Tue, 21 Nov 2017 13:46:39 GMT

they are internal servers. a few domain controllers, one front end exchange server, and a few others.

Re: Spyware Infect Host report from P.A.

BPry — Tue, 21 Nov 2017 13:49:28 GMT

@wrainwater,

At that point you'd have to look at what the Threat database actually has listed for these servers. If you can post what the common threats are we can actually take a look at it with you.

Re: Spyware Infect Host report from P.A.

wrainwater — Tue, 21 Nov 2017 13:53:35 GMT

Im assuming you are referring to monitor - logs - threat and use the servers ip address to see what it is telling me right?

Re: Spyware Infect Host report from P.A.

wrainwater — Tue, 21 Nov 2017 14:00:13 GMT

Nevermind, I figured out what you meant. here is a screenshot

Re: Spyware Infect Host report from P.A.

Brandon_Wertz — Tue, 21 Nov 2017 14:50:32 GMT

Looks like noise... Varied and non-associated dest URLs. Given the vuln name looks like a "caution" kinda alert.

Re: Spyware Infect Host report from P.A.

BPry — Tue, 21 Nov 2017 14:57:12 GMT

@wrainwater,

I'm going to agree with @Brandon_Wertz on this one, unless you suspect that this was abnormal and hasn't always been present it's likely nothing to worry about. That being said if this is the first time that you've encountered these alerts, it would be something that I would look into further.

More information from PA can be found HERE, which does a fairly good job explaining relevant threats and why it might be present. You can also search threatvault for 14978. I really wouldn't be too worried about it, unless it has only just started to show up recently and you haven't been getting the alerts prior.

Re: Spyware Infect Host report from P.A.

Brandon_Wertz — Tue, 21 Nov 2017 15:10:22 GMT

Further if you look at the alert details:

Severity	informational
Action	allow

It's either a "false positive" or the flag is legitimate and the firewall is highlighting a vulnerability of TLS likely flagging on a lower version of TLS. Merely attempting to point out something COULD be exploited, not necessarily something which is ACTIVELY being exploited.

Re: Spyware Infect Host report from P.A.

dannon — Tue, 21 Nov 2017 15:50:27 GMT

Just to add to the conversation-

we do SSL decryption and always have hundreds to thousands of these alerts a day. We've always had them, and I just ignore them because they are never an active threat, more informantive in nature.

In spite of all of this, I still get a twinge of concern when I see them populate my logs. I want to react to them because I see so many listed.

Security-minded brain and all. LOL

Dannon

Re: Spyware Infect Host report from P.A.

wrainwater — Tue, 21 Nov 2017 16:00:17 GMT

thanks to all of you. Im actually in the process of setting up SSL decryption right now. I have a rule set up on my computer to decrypt all the outbound traffic. Once that is set up, it'll give me better info on what the SSL traffic really is.