SMB: User Password Brute-force Attempt 40004

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SMB: User Password Brute-force Attempt 40004

Not applicable

Hello all.  I have a PA-5020 operating as our Layer 3 router between all of our VLAN's.  For the past month or so the ACC on the Palo shows SMB: User Password Brute-force Attempt (ID:40004) as the #1 entry in Threat Prevention section.  The attacker is our Antivirus (Kaspersky) Administration Server on VLAN 199 and the victim is a kiosk PC that isn't on our domain, just our network VLAN 202.  There are about 10 other kiosks and they don't get any threats from the AV server.  These kiosks are managed by another company and locked down pretty well.  I've tried using netstat /oan and keep running it but never see the traffic (maybe the firewall on the kiosk terminates the traffic too quickly for me to see any SYN_WAIT, etc.).  I do see a LOT of 445 connections off and on to other devices on our network, just none to that IP address.

I've scanned the server with the latest Kaspersky sigs and no malware is found.  I'm stumped as to what this may be, should I start a packet capture and see if that yields any clues?

3 REPLIES 3

L4 Transporter

Well, if you feel this could be a false positive, and the FW is incorrectly recognizing traffic as Brute Force, you can create an IP exception rule in  your vulnerability profile. You can to the profile, then go to Exceptions, find the vulnerability number, and edit it, to ignore the signature when it sees traffic destined for that PC in VLAN 202.

L5 Sessionator

Suggest updating the AV DB and App and Threat DB  to the latest version  ,if the issue continues .

Open a support case providing following explained in the following document:

https://live.paloaltonetworks.com/docs/DOC-2769

Not applicable

Thanks for the advise.  Just wanted to follow up on this, it looked like Kaspersky server was still trying to run some job against this IP address thinking it was a domain computer holding the IP address.  We made a dummy reservation in DHCP and forced the kiosk (non-domain) computer to get a new IP address and the threat stopped, it didn't follow the IP address.

  • 17092 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!