Has anyone seen a lot of activity around the MacDefender Command and Control Traffic (event ID 13104 and 13108) spyware threat since the introduction of these signatures? I believe first add of these signatures was 248-993 and then updated in 249-1005. I am trying to get a handle on the numerous daily "blocked" events we are seeing for these connections. According to what I know of this malicious behavior - the payload is against the Mac OS only. However, we have no Macs. All these events are happening to PCs. Is it perhaps because a drive-by or web link is bringing our users to the known bad external IPs? Also want to validate that this is indeed a real event and not a false positive - for we are seeing about a dozen of these events a day - never to same internal user. Curious if anyone is seeing any of this activity and thoughts before I open a case.
A couple of cases came into Support regarding the MAC Defender but both are waiting on the customer to provide a pcap of the traffic so nothing conclusive yet. If you can provide a pcap, please go ahead and open a case so that engineering can determine if it is a false positive or not. Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!