Spyware Infect Host report from P.A.

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Spyware Infect Host report from P.A.

I just got a spyware infected host report that says something like

 

 

Destination address    |    Destination Host Name         |   Count

X.X.X.X                                hostname.domain.com              2.94k 

X.X.X.X                                hostname2.domain.com            1.44k 

X.X.X.X                                hostname3.domain.com              681

 

 

Some of the hostnames are pretty important servers, so this has me worried about. Can anyone tell me what the report is telling me? Are these servers infect with spyware and the spyware is sending that much data out? 

 

 

 


Accepted Solutions
Highlighted
Cyber Elite

@wrainwater,

I'm going to agree with @Brandon_Wertz on this one, unless you suspect that this was abnormal and hasn't always been present it's likely nothing to worry about. That being said if this is the first time that you've encountered these alerts, it would be something that I would look into further. 

More information from PA can be found HERE, which does a fairly good job explaining relevant threats and why it might be present. You can also search threatvault for 14978. I really wouldn't be too worried about it, unless it has only just started to show up recently and you haven't been getting the alerts prior. 

View solution in original post


All Replies
Highlighted
Cyber Elite

@wrainwater,

Additional information would be helpful. Are these servers actually your internal servers, or external servers that your users are accessing. 

If you access your Threat logs and filter on ( subtype eq spyware) you'll be able to see the logs for what is triggering this report. What exactly is being picked up on this report? 

Highlighted
L2 Linker

they are internal servers. a few domain controllers, one front end exchange server, and a few others.

Highlighted
Cyber Elite

@wrainwater,

At that point you'd have to look at what the Threat database actually has listed for these servers. If you can post what the common threats are we can actually take a look at it with you. 

Highlighted
L2 Linker

Im assuming you are referring to monitor - logs - threat and use the servers ip address to see what it is telling me right?

Highlighted
L2 Linker

Nevermind, I figured out what you meant. here is a screenshotspyware.JPG

Highlighted
Cyber Elite

Looks like noise...  Varied and non-associated dest URLs.  Given the vuln name looks like a "caution" kinda alert.

Highlighted
Cyber Elite

@wrainwater,

I'm going to agree with @Brandon_Wertz on this one, unless you suspect that this was abnormal and hasn't always been present it's likely nothing to worry about. That being said if this is the first time that you've encountered these alerts, it would be something that I would look into further. 

More information from PA can be found HERE, which does a fairly good job explaining relevant threats and why it might be present. You can also search threatvault for 14978. I really wouldn't be too worried about it, unless it has only just started to show up recently and you haven't been getting the alerts prior. 

View solution in original post

Highlighted
Cyber Elite

Further if you look at the alert details:

 

Severityinformational
Actionallow

 

 

It's either a "false positive" or the flag is legitimate and the firewall is highlighting a vulnerability of TLS likely flagging on a lower version of TLS.  Merely attempting to point out something COULD be exploited, not necessarily something which is ACTIVELY being exploited.

Highlighted
L3 Networker

Just to add to the conversation-

 

we do SSL decryption and always have hundreds to thousands of these alerts a day.  We've always had them, and I just ignore them because they are never an active threat, more informantive in nature.

 

In spite of all of this, I still get a twinge of concern when I see them populate my logs.  I want to react to them because I see so many listed.

 

Security-minded brain and all.  LOL

 

Dannon

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!