- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-20-2017 05:45 AM
I just got a spyware infected host report that says something like
Destination address | Destination Host Name | Count
X.X.X.X hostname.domain.com 2.94k
X.X.X.X hostname2.domain.com 1.44k
X.X.X.X hostname3.domain.com 681
Some of the hostnames are pretty important servers, so this has me worried about. Can anyone tell me what the report is telling me? Are these servers infect with spyware and the spyware is sending that much data out?
11-21-2017 06:57 AM
I'm going to agree with @Brandon_Wertz on this one, unless you suspect that this was abnormal and hasn't always been present it's likely nothing to worry about. That being said if this is the first time that you've encountered these alerts, it would be something that I would look into further.
More information from PA can be found HERE, which does a fairly good job explaining relevant threats and why it might be present. You can also search threatvault for 14978. I really wouldn't be too worried about it, unless it has only just started to show up recently and you haven't been getting the alerts prior.
11-20-2017 07:46 AM
Additional information would be helpful. Are these servers actually your internal servers, or external servers that your users are accessing.
If you access your Threat logs and filter on ( subtype eq spyware) you'll be able to see the logs for what is triggering this report. What exactly is being picked up on this report?
11-21-2017 05:46 AM
they are internal servers. a few domain controllers, one front end exchange server, and a few others.
11-21-2017 05:49 AM
At that point you'd have to look at what the Threat database actually has listed for these servers. If you can post what the common threats are we can actually take a look at it with you.
11-21-2017 05:53 AM
Im assuming you are referring to monitor - logs - threat and use the servers ip address to see what it is telling me right?
11-21-2017 05:58 AM - edited 11-21-2017 06:00 AM
Nevermind, I figured out what you meant. here is a screenshot
11-21-2017 06:50 AM
Looks like noise... Varied and non-associated dest URLs. Given the vuln name looks like a "caution" kinda alert.
11-21-2017 06:57 AM
I'm going to agree with @Brandon_Wertz on this one, unless you suspect that this was abnormal and hasn't always been present it's likely nothing to worry about. That being said if this is the first time that you've encountered these alerts, it would be something that I would look into further.
More information from PA can be found HERE, which does a fairly good job explaining relevant threats and why it might be present. You can also search threatvault for 14978. I really wouldn't be too worried about it, unless it has only just started to show up recently and you haven't been getting the alerts prior.
11-21-2017 07:10 AM
Further if you look at the alert details:
Severity | informational |
Action | allow |
It's either a "false positive" or the flag is legitimate and the firewall is highlighting a vulnerability of TLS likely flagging on a lower version of TLS. Merely attempting to point out something COULD be exploited, not necessarily something which is ACTIVELY being exploited.
11-21-2017 07:50 AM
Just to add to the conversation-
we do SSL decryption and always have hundreds to thousands of these alerts a day. We've always had them, and I just ignore them because they are never an active threat, more informantive in nature.
In spite of all of this, I still get a twinge of concern when I see them populate my logs. I want to react to them because I see so many listed.
Security-minded brain and all. LOL
Dannon
11-21-2017 08:00 AM
thanks to all of you. Im actually in the process of setting up SSL decryption right now. I have a rule set up on my computer to decrypt all the outbound traffic. Once that is set up, it'll give me better info on what the SSL traffic really is.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!