Incidents are created for the IP Watchlist rule with Multicast address (as a Source or Destination) showing up in events in Symantec Security Information Manager (SSIM) correlation engine.
This happens from time to time, this is an automated mechanism with some algorithm on the DeepSight side, having to do with X number of clients reporting it in Y timespan.
The IP 18.104.22.168 was reported on the BotNet list a number of times.
The workaround is to use the White list feature in the SSIM lookup table. See "IP Whitelist Table" table.
This is happening with using Static content (LiveUpdate) from Global Intelligence Network. Sequence 2011120601.
Did this article resolve your issue?
Did this article save you the trouble of contacting technical support?
How can we make this article more helpful?
Email Address (Optional)
Login to Subscribe
Please login to set up your subscription.
Get support for your product, with downloads, knowledge base articles, documentation, and more.
Maximize your product competency and validate technical knowledge to gain the most benefit from your IT investments.
Submit a suspected infected file to Symantec.
Report a suspected erroneous detection (false positive).
Create and manage cases, manage licensing and renewals, submit threats, and enroll with Symantec Rewards.
Customer and Technical Support phone numbers and hours of operation.
User-to-user forums, blogs, videos, and other community resources on Symantec Connect.
Set default language
Do you wish to save this as your future site?