You are receiving email alerts for "High-risk Intrusion Detections" with a Targeted Port Number of 0, a blank Targeted Application and a blank Targeted Host Name. You also see intrusion events on the Hosted Endpoint Portal with blank "Attacker URLs", Targeted Port of 0 and "No Data Available" in the Application column.
This only affects ServerOperating Systems with the Endpoint Protection Small Business Edition (Hosted) product (SEP SBE(Hosted) -or- SEP SBE.Cloud).
A high-risk intrusion was detected on ComputerName within group Default Group on 9/1/2015 5:26:54 PM.Intrusion NameAttack: an intrusion attempt was blocked.Targeted ApplicationTargeted IP192.168.0.2Targeted Port Number0Targeted Host NameStatusBlocked
Symantec is aware of this issue and will update this document when a solution becomes available. Please subscribe to this article to be notified of any updates.
To work around this issue, review the agent logs to find information about the event.
2. Search for the following: "an intrusion attempt was blocked"
Things to look for:
localIP="<number>" * (IP of the computer being attacked) remoteIP="<number>" * (IP address of the origin of the attack) signature="<signature>" ** (This is the name of the IPS detection)
* The IP addresses are in decimal notation. There are various calculators available online that will convert these values to IPv4 and IPv6 addresses. ** More details on attack signatures can be found with our Security Response information: http://www.symantec.com/security_response/attacksignatures/
Subscribing will provide email updates when this Article is updated. Login is required.