Endpoint Protection

This is just an Audit log to inform that SEP is seeing Teamviewer activity in the network. Often team viewer is unwanted in an enterprise due to unwanted access controls.

You can disable the alert by creating an excepton if needed..

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/managing-intrusion-prevention-v36820771-d53e8657/creating-exceptions-for-ips-signatures-v38528395-d53e9744.html

------------------------------
Syscom AS

Original Message:
Sent: 05-03-2021 10:51 AM
From: Colin McRae
Subject: False positives with SEP and Teamviewer?

Yeah I've been annoyed by this issue for well over a month, maybe two months.  I manage a lot of SES customers and most of them are seeing "attacks" on port 5938 almost every day (seen via IPS reports).  So far Symantec has not acknowledged the issue in a separate post I had made a while ago, they're busy with other stuff I suppose.  Judging by Teamviewer's general behavior over the years I've been using it, I don't think they have a very solid product design that's imperviious to compromise, so I would not be surprised to learn some day in the future that their product had been hacked or something, but having said that, there's currently no reason to think they're any real issue.
The problem lacks the regularity of a heartbeat, but happens often enough that I am very much confused by the pattern.
It's also not ok to just whitelist the exe file, that's lazy secops behavior and rules out real detections later.  So on this one I would have to think Symantec needds to talk to TeamViewer and work this out, or just identify the false positive trigger and fix that if applicable.
Original Message:
Sent: 04-29-2021 01:59 PM
From: r m
Subject: False positives with SEP and Teamviewer?

I've got some machines with Teamviewer installed.  I'm seeing a lot of outbound attacks in SEPM logs for network attack on some machines that have Teamviewer, and different versions of Teamviewer.  It looks like Symantec is calling teamviewer_service.exe an outbound attack.  I'm thinking it's some kind of heart  beat/checkin thing that Teamviewer is doing, that machine reporting itself in with Teamviewer.

Is anyone seeing that?  That is a false positive, correct?  It's pretty consistent on machines with Teamviewer.  I don't believe they all got compromised, and there are no other signs. My network attacks alerts started blowing up yesterday morning.

------------------------------
rmo
------------------------------

This is just an Audit log to inform that SEP is seeing Teamviewer activity in the network. Often team viewer is unwanted in an enterprise due to unwanted access controls.

You can disable the alert by creating an excepton if needed..

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Using-policies-to-manage-security/managing-intrusion-prevention-v36820771-d53e8657/creating-exceptions-for-ips-signatures-v38528395-d53e9744.html

------------------------------
Syscom AS

Original Message:
Sent: 05-03-2021 10:51 AM
From: Colin McRae
Subject: False positives with SEP and Teamviewer?

Yeah I've been annoyed by this issue for well over a month, maybe two months.  I manage a lot of SES customers and most of them are seeing "attacks" on port 5938 almost every day (seen via IPS reports).  So far Symantec has not acknowledged the issue in a separate post I had made a while ago, they're busy with other stuff I suppose.  Judging by Teamviewer's general behavior over the years I've been using it, I don't think they have a very solid product design that's imperviious to compromise, so I would not be surprised to learn some day in the future that their product had been hacked or something, but having said that, there's currently no reason to think they're any real issue.
The problem lacks the regularity of a heartbeat, but happens often enough that I am very much confused by the pattern.
It's also not ok to just whitelist the exe file, that's lazy secops behavior and rules out real detections later.  So on this one I would have to think Symantec needds to talk to TeamViewer and work this out, or just identify the false positive trigger and fix that if applicable.
Original Message:
Sent: 04-29-2021 01:59 PM
From: r m
Subject: False positives with SEP and Teamviewer?

I've got some machines with Teamviewer installed.  I'm seeing a lot of outbound attacks in SEPM logs for network attack on some machines that have Teamviewer, and different versions of Teamviewer.  It looks like Symantec is calling teamviewer_service.exe an outbound attack.  I'm thinking it's some kind of heart  beat/checkin thing that Teamviewer is doing, that machine reporting itself in with Teamviewer.

Is anyone seeing that?  That is a false positive, correct?  It's pretty consistent on machines with Teamviewer.  I don't believe they all got compromised, and there are no other signs. My network attacks alerts started blowing up yesterday morning.

------------------------------
rmo
------------------------------