Endpoint Protection

 View Only

 SES IPS flagging TeamViewer

MIXIT's profile image
MIXIT posted Mar 22, 2021 03:39 PM
HI all, 
Starting I think around Friday or so, just about every one of my customers' where I have IPS reports configured, are seeing large quantities of alerts related to IPS, detections on port 5938.  NOt sure if TCP or UDP, doesn't matter I guess for the purposes of this post though.  As it's happening to I believe every one of my customers, I imagine it's a false positive, or a worldwide hack of Teamviewer perhaps.  Anyone know what's happening?  I think teamviewer had some maintenance recently so perhaps it was some kind of thing with that.
Robert Trimble's profile image
Robert Trimble posted Mar 22, 2021 03:55 PM
Hello,

Most likely a false positive that will be corrected before you can submit anything for IPS false positive (I don't have access to confirm with Security Response.)  We haven't gotten any reports of this yet at TD.  Regardless, here is the process for submitting info on IPS false positive

  1. Ensure that the SEP client has the latest available IPS definitions in place.   Run LiveUpdate or compare the “Network Threat Protection” definition date on the client matches the latest available listed on Security Updates.
  2. Note if the intrusion is inbound or outbound, note the source and destination IP address (or domain), and note the exact IPS event number and name. (These details must be provided when reporting the suspected False Positive.)
  3. If the IPS event occurs when simply accessing a public website, copy the exact URL and details necessary to reproduce the issue. 
  4. Otherwise, using Wireshark, TCPDump or another packet capture tool, whitelist that domain or disable that IPS signature, then record the traffic which triggers the IPS event.  A video demonstrating how to capture network traffic is available. Be sure to enable that IPS signature once again immediately after the traffic is collected!

Once the data is collected, please submit it to: https://symsubmit.symantec.com/false_positive

Rob
TechData Support Services
MIXIT's profile image
MIXIT posted Apr 22, 2021 09:46 AM
Hey sorry I didn't reply sooner.  The issue is still happening a month later.  It affects the majority of customer environments I manage so it's definitely not something that requires troubleshooting on an individual basis, or engagement with frontline tech support since I would expect by now that engineering is aware of the issue.  The question is, are there any updates? As I don't do anything custom with IPS nor with Teamviewer, it should mean anybody with TV on a Windows 10 computer and with IPS reports scheduled to email daily, will see this issue, so it's easily reproduced.  

There's some kind of behaviour that TeamViewer engages in that's done frequently, but not daily, as I would estimate about 80-95% of any customer's IPS reports have one or more computers flagging that port 5938 activity, but not every computer every time type of thing.  Also it never seems to occur on Macs.  

Usually the vendor (Symantec) will have already reached out to the other vendor (TeamViewer GmBh or whatever), so I'm just curious if we have any public updates on this.  I'd be shocked to learn Symantec wasn't aware of this issue, TeamViewer being "the most popular remote access software in the world" as they claim :)