Spyware Infect Host report from P.A.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Spyware Infect Host report from P.A.

L2 Linker

I just got a spyware infected host report that says something like

 

 

Destination address    |    Destination Host Name         |   Count

X.X.X.X                                hostname.domain.com              2.94k 

X.X.X.X                                hostname2.domain.com            1.44k 

X.X.X.X                                hostname3.domain.com              681

 

 

Some of the hostnames are pretty important servers, so this has me worried about. Can anyone tell me what the report is telling me? Are these servers infect with spyware and the spyware is sending that much data out? 

 

 

 

1 accepted solution

Accepted Solutions

@wrainwater,

I'm going to agree with @Brandon_Wertz on this one, unless you suspect that this was abnormal and hasn't always been present it's likely nothing to worry about. That being said if this is the first time that you've encountered these alerts, it would be something that I would look into further. 

More information from PA can be found HERE, which does a fairly good job explaining relevant threats and why it might be present. You can also search threatvault for 14978. I really wouldn't be too worried about it, unless it has only just started to show up recently and you haven't been getting the alerts prior. 

View solution in original post

10 REPLIES 10

Cyber Elite
Cyber Elite

@wrainwater,

Additional information would be helpful. Are these servers actually your internal servers, or external servers that your users are accessing. 

If you access your Threat logs and filter on ( subtype eq spyware) you'll be able to see the logs for what is triggering this report. What exactly is being picked up on this report? 

they are internal servers. a few domain controllers, one front end exchange server, and a few others.

@wrainwater,

At that point you'd have to look at what the Threat database actually has listed for these servers. If you can post what the common threats are we can actually take a look at it with you. 

Im assuming you are referring to monitor - logs - threat and use the servers ip address to see what it is telling me right?

Nevermind, I figured out what you meant. here is a screenshotspyware.JPG

Looks like noise...  Varied and non-associated dest URLs.  Given the vuln name looks like a "caution" kinda alert.

@wrainwater,

I'm going to agree with @Brandon_Wertz on this one, unless you suspect that this was abnormal and hasn't always been present it's likely nothing to worry about. That being said if this is the first time that you've encountered these alerts, it would be something that I would look into further. 

More information from PA can be found HERE, which does a fairly good job explaining relevant threats and why it might be present. You can also search threatvault for 14978. I really wouldn't be too worried about it, unless it has only just started to show up recently and you haven't been getting the alerts prior. 

Further if you look at the alert details:

 

Severityinformational
Actionallow

 

 

It's either a "false positive" or the flag is legitimate and the firewall is highlighting a vulnerability of TLS likely flagging on a lower version of TLS.  Merely attempting to point out something COULD be exploited, not necessarily something which is ACTIVELY being exploited.

Just to add to the conversation-

 

we do SSL decryption and always have hundreds to thousands of these alerts a day.  We've always had them, and I just ignore them because they are never an active threat, more informantive in nature.

 

In spite of all of this, I still get a twinge of concern when I see them populate my logs.  I want to react to them because I see so many listed.

 

Security-minded brain and all.  LOL

 

Dannon

 

thanks to all of you. Im actually in the process of setting up SSL decryption right now. I have a rule set up on my computer to decrypt all the outbound traffic. Once that is set up, it'll give me better info on what the SSL traffic really is.

  • 1 accepted solution
  • 5657 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!