Endpoint Protection

[SID: 30482] System Infected: Coinminer Activity 2 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Intensive Protection level: N/A

I reverted from a backup from 2022 spent almost 20 hours getting this server back online, and today I see this again. I'm so frustrated with this.

We have had endpoint for over 10 years.  My scans will not detect this, but this constantly shows up in the client logs this is the only way i detect it, and sometime a pop up when this is blocked  This does not show up in scans.   I highly doubt this was in my 2022 backup.

This is a Network traffic detection by Intrusion Prevention. It's not something on the physical server.

[SID: 30482] System Infected: Coinminer Activity 2 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Intensive Protection level: N/A

I reverted from a backup from 2022 spent almost 20 hours getting this server back online, and today I see this again. I'm so frustrated with this.

We have had endpoint for over 10 years.  My scans will not detect this, but this constantly shows up in the client logs this is the only way i detect it, and sometime a pop up when this is blocked  This does not show up in scans.   I highly doubt this was in my 2022 backup.

Can you please elaborate.  This is the ONLY server on this same network showing this.  Users connected via citirx are seeing this Symantec popup via their terminal services. 

Upon reading about this, I'm led to believe something is on this server causing this, but it's difficult to detect and remove. 

No other computers on the network from what I can see are detecting this.  I can only see this in the client logs.

This is a Network traffic detection by Intrusion Prevention. It's not something on the physical server.

[SID: 30482] System Infected: Coinminer Activity 2 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Intensive Protection level: N/A

I reverted from a backup from 2022 spent almost 20 hours getting this server back online, and today I see this again. I'm so frustrated with this.

We have had endpoint for over 10 years.  My scans will not detect this, but this constantly shows up in the client logs this is the only way i detect it, and sometime a pop up when this is blocked  This does not show up in scans.   I highly doubt this was in my 2022 backup.

Please open a Support Case to assist you with this one.

Can you please elaborate.  This is the ONLY server on this same network showing this.  Users connected via citirx are seeing this Symantec popup via their terminal services. 

Upon reading about this, I'm led to believe something is on this server causing this, but it's difficult to detect and remove. 

No other computers on the network from what I can see are detecting this.  I can only see this in the client logs.

This is a Network traffic detection by Intrusion Prevention. It's not something on the physical server.

[SID: 30482] System Infected: Coinminer Activity 2 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Intensive Protection level: N/A

I reverted from a backup from 2022 spent almost 20 hours getting this server back online, and today I see this again. I'm so frustrated with this.

We have had endpoint for over 10 years.  My scans will not detect this, but this constantly shows up in the client logs this is the only way i detect it, and sometime a pop up when this is blocked  This does not show up in scans.   I highly doubt this was in my 2022 backup.

Ok John but based on what you mentioned before is this warning on the machine which the client log / security is showing this? 

Please open a Support Case to assist you with this one.

Can you please elaborate.  This is the ONLY server on this same network showing this.  Users connected via citirx are seeing this Symantec popup via their terminal services. 

Upon reading about this, I'm led to believe something is on this server causing this, but it's difficult to detect and remove. 

No other computers on the network from what I can see are detecting this.  I can only see this in the client logs.

This is a Network traffic detection by Intrusion Prevention. It's not something on the physical server.

[SID: 30482] System Infected: Coinminer Activity 2 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Intensive Protection level: N/A

I reverted from a backup from 2022 spent almost 20 hours getting this server back online, and today I see this again. I'm so frustrated with this.

We have had endpoint for over 10 years.  My scans will not detect this, but this constantly shows up in the client logs this is the only way i detect it, and sometime a pop up when this is blocked  This does not show up in scans.   I highly doubt this was in my 2022 backup.

The Intrusion Prevention technology detects network traffic to or from this device that matches the attack signature ID [SID: 30482].

If you look at the full log you should be able to tell if it is Inbound or Outbound traffic.

Ok John but based on what you mentioned before is this warning on the machine which the client log / security is showing this? 

Please open a Support Case to assist you with this one.

Can you please elaborate.  This is the ONLY server on this same network showing this.  Users connected via citirx are seeing this Symantec popup via their terminal services. 

Upon reading about this, I'm led to believe something is on this server causing this, but it's difficult to detect and remove. 

No other computers on the network from what I can see are detecting this.  I can only see this in the client logs.

This is a Network traffic detection by Intrusion Prevention. It's not something on the physical server.

[SID: 30482] System Infected: Coinminer Activity 2 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Intensive Protection level: N/A

I reverted from a backup from 2022 spent almost 20 hours getting this server back online, and today I see this again. I'm so frustrated with this.

We have had endpoint for over 10 years.  My scans will not detect this, but this constantly shows up in the client logs this is the only way i detect it, and sometime a pop up when this is blocked  This does not show up in scans.   I highly doubt this was in my 2022 backup.

Here is a snapshot I dont' see incoming our outgoing but I'm assuming it's outgoing from my 192.168.1.4

The Intrusion Prevention technology detects network traffic to or from this device that matches the attack signature ID [SID: 30482].

If you look at the full log you should be able to tell if it is Inbound or Outbound traffic.

Ok John but based on what you mentioned before is this warning on the machine which the client log / security is showing this? 

Please open a Support Case to assist you with this one.

Can you please elaborate.  This is the ONLY server on this same network showing this.  Users connected via citirx are seeing this Symantec popup via their terminal services. 

Upon reading about this, I'm led to believe something is on this server causing this, but it's difficult to detect and remove. 

No other computers on the network from what I can see are detecting this.  I can only see this in the client logs.

This is a Network traffic detection by Intrusion Prevention. It's not something on the physical server.

[SID: 30482] System Infected: Coinminer Activity 2 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Intensive Protection level: N/A

I reverted from a backup from 2022 spent almost 20 hours getting this server back online, and today I see this again. I'm so frustrated with this.

We have had endpoint for over 10 years.  My scans will not detect this, but this constantly shows up in the client logs this is the only way i detect it, and sometime a pop up when this is blocked  This does not show up in scans.   I highly doubt this was in my 2022 backup.

Here is a snapshot I dont' see incoming our outgoing but I'm assuming it's outgoing from my 192.168.1.4

The Intrusion Prevention technology detects network traffic to or from this device that matches the attack signature ID [SID: 30482].

If you look at the full log you should be able to tell if it is Inbound or Outbound traffic.

Ok John but based on what you mentioned before is this warning on the machine which the client log / security is showing this? 

Please open a Support Case to assist you with this one.

Can you please elaborate.  This is the ONLY server on this same network showing this.  Users connected via citirx are seeing this Symantec popup via their terminal services. 

Upon reading about this, I'm led to believe something is on this server causing this, but it's difficult to detect and remove. 

No other computers on the network from what I can see are detecting this.  I can only see this in the client logs.

This is a Network traffic detection by Intrusion Prevention. It's not something on the physical server.

[SID: 30482] System Infected: Coinminer Activity 2 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Intensive Protection level: N/A

I reverted from a backup from 2022 spent almost 20 hours getting this server back online, and today I see this again. I'm so frustrated with this.

We have had endpoint for over 10 years.  My scans will not detect this, but this constantly shows up in the client logs this is the only way i detect it, and sometime a pop up when this is blocked  This does not show up in scans.   I highly doubt this was in my 2022 backup.

no these IP's which are constantly changing I have no idea were they come form as we are on a 192.168.1 network here.

152.32.205.193
101.36.108.175
101.36.97.74 

incoming from WAN? 

Here is a snapshot I dont' see incoming our outgoing but I'm assuming it's outgoing from my 192.168.1.4

The Intrusion Prevention technology detects network traffic to or from this device that matches the attack signature ID [SID: 30482].

If you look at the full log you should be able to tell if it is Inbound or Outbound traffic.

Ok John but based on what you mentioned before is this warning on the machine which the client log / security is showing this? 

Please open a Support Case to assist you with this one.

Can you please elaborate.  This is the ONLY server on this same network showing this.  Users connected via citirx are seeing this Symantec popup via their terminal services. 

Upon reading about this, I'm led to believe something is on this server causing this, but it's difficult to detect and remove. 

No other computers on the network from what I can see are detecting this.  I can only see this in the client logs.

This is a Network traffic detection by Intrusion Prevention. It's not something on the physical server.

[SID: 30482] System Infected: Coinminer Activity 2 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Intensive Protection level: N/A

I reverted from a backup from 2022 spent almost 20 hours getting this server back online, and today I see this again. I'm so frustrated with this.

We have had endpoint for over 10 years.  My scans will not detect this, but this constantly shows up in the client logs this is the only way i detect it, and sometime a pop up when this is blocked  This does not show up in scans.   I highly doubt this was in my 2022 backup.