Endpoint Protection

Hello,

Does anyone have an idea why there are some Coinminer activities where IPS detects them as "Audit" (and of course are not blocked by default) but most of them are detected as "System Infected" or "Web Attack" as per the attached screenshot?
Why there are Coinminers detected as Audit and not as other type of attack and to be automatically blocked. 
The screenshot shows some of the Coinminer signatures exported from the IPS policy

Hi,

An Audit signature is created for scenarios where you not necessary would like to block the traffic directly. This can be because of the risk of false positives as an example.

You're adviced to change these signatures to block if you're not seeing any detections for these signatures on legitimate traffic in your environment.

Here you have an example for "Audit: JSCoinminer Download 3".

https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=30352

Response

Unless otherwise known, any unintended coin-miner Activity in this network traffic should be treated as Malicious. Actions should be taken to suspend and audit the communication and potentially block this network Activity from further communication.

It is advised to block this traffic using the process mentioned in the following link:
https://knowledge.broadcom.com/external/article/176042/about-endpoint-protection-audit-signatur.html

Original Message:
Sent: 10-14-2021 10:23 AM
From: Stefan
Subject: IPS and Coinminer related activity

Hello,

Does anyone have an idea why there are some Coinminer activities where IPS detects them as "Audit" (and of course are not blocked by default) but most of them are detected as "System Infected" or "Web Attack" as per the attached screenshot?
Why there are Coinminers detected as Audit and not as other type of attack and to be automatically blocked.
The screenshot shows some of the Coinminer signatures exported from the IPS policy

I know that I can set these Allow signatures to Block but still doesn't make sense why only 4 Coinminer related signatures are set as "Audit" (and by default traffic is allowed) whereas all other are blocking such traffic and are not Audit signatures (as per my screenshot above)
Original Message:
Sent: 10-15-2021 03:22 AM
From: Andreas Brogren
Subject: IPS and Coinminer related activity

Hi,

An Audit signature is created for scenarios where you not necessary would like to block the traffic directly. This can be because of the risk of false positives as an example.

You're adviced to change these signatures to block if you're not seeing any detections for these signatures on legitimate traffic in your environment.

Here you have an example for "Audit: JSCoinminer Download 3".

https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=30352

Response

Unless otherwise known, any unintended coin-miner Activity in this network traffic should be treated as Malicious. Actions should be taken to suspend and audit the communication and potentially block this network Activity from further communication.

It is advised to block this traffic using the process mentioned in the following link:
https://knowledge.broadcom.com/external/article/176042/about-endpoint-protection-audit-signatur.html

Original Message:
Sent: 10-14-2021 10:23 AM
From: Stefan
Subject: IPS and Coinminer related activity

Hello,

Does anyone have an idea why there are some Coinminer activities where IPS detects them as "Audit" (and of course are not blocked by default) but most of them are detected as "System Infected" or "Web Attack" as per the attached screenshot?
Why there are Coinminers detected as Audit and not as other type of attack and to be automatically blocked.
The screenshot shows some of the Coinminer signatures exported from the IPS policy

Audit signatures are never blocked by default. This is to protect against possible FPs.  If you would like to set these to Block you have the option to do so.  This should be tested though for adverse effects.

------------------------------
John Owens
Strategic Support Engineer | Symantec Endpoint Security Division (SES)
Broadcom Software
------------------------------

Original Message:
Sent: 10-15-2021 07:27 AM
From: Stefan
Subject: IPS and Coinminer related activity

I know that I can set these Allow signatures to Block but still doesn't make sense why only 4 Coinminer related signatures are set as "Audit" (and by default traffic is allowed) whereas all other are blocking such traffic and are not Audit signatures (as per my screenshot above)
Original Message:
Sent: 10-15-2021 03:22 AM
From: Andreas Brogren
Subject: IPS and Coinminer related activity

Hi,

An Audit signature is created for scenarios where you not necessary would like to block the traffic directly. This can be because of the risk of false positives as an example.

You're adviced to change these signatures to block if you're not seeing any detections for these signatures on legitimate traffic in your environment.

Here you have an example for "Audit: JSCoinminer Download 3".

https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=30352

Response

Unless otherwise known, any unintended coin-miner Activity in this network traffic should be treated as Malicious. Actions should be taken to suspend and audit the communication and potentially block this network Activity from further communication.

It is advised to block this traffic using the process mentioned in the following link:
https://knowledge.broadcom.com/external/article/176042/about-endpoint-protection-audit-signatur.html

Original Message:
Sent: 10-14-2021 10:23 AM
From: Stefan
Subject: IPS and Coinminer related activity

Hello,

Does anyone have an idea why there are some Coinminer activities where IPS detects them as "Audit" (and of course are not blocked by default) but most of them are detected as "System Infected" or "Web Attack" as per the attached screenshot?
Why there are Coinminers detected as Audit and not as other type of attack and to be automatically blocked.
The screenshot shows some of the Coinminer signatures exported from the IPS policy

Hi John, yes I know this, but still the question is why these 4 Coinminer (JS.Coinminer, Trojan.Coinminer) related signatures are Audit and not like the rest from the screenshot? What is the reason, Symantec thinks that his Coinminer traffic is normal and just logging it or there is another reason to leave them as Audit?
Original Message:
Sent: 10-15-2021 11:49 AM
From: John Owens
Subject: IPS and Coinminer related activity

Audit signatures are never blocked by default. This is to protect against possible FPs.  If you would like to set these to Block you have the option to do so.  This should be tested though for adverse effects.

------------------------------
John Owens
Strategic Support Engineer | Symantec Endpoint Security Division (SES)
Broadcom Software

Original Message:
Sent: 10-15-2021 07:27 AM
From: Stefan
Subject: IPS and Coinminer related activity

I know that I can set these Allow signatures to Block but still doesn't make sense why only 4 Coinminer related signatures are set as "Audit" (and by default traffic is allowed) whereas all other are blocking such traffic and are not Audit signatures (as per my screenshot above)
Original Message:
Sent: 10-15-2021 03:22 AM
From: Andreas Brogren
Subject: IPS and Coinminer related activity

Hi,

An Audit signature is created for scenarios where you not necessary would like to block the traffic directly. This can be because of the risk of false positives as an example.

You're adviced to change these signatures to block if you're not seeing any detections for these signatures on legitimate traffic in your environment.

Here you have an example for "Audit: JSCoinminer Download 3".

https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=30352

Response

Unless otherwise known, any unintended coin-miner Activity in this network traffic should be treated as Malicious. Actions should be taken to suspend and audit the communication and potentially block this network Activity from further communication.

It is advised to block this traffic using the process mentioned in the following link:
https://knowledge.broadcom.com/external/article/176042/about-endpoint-protection-audit-signatur.html

Original Message:
Sent: 10-14-2021 10:23 AM
From: Stefan
Subject: IPS and Coinminer related activity

Hello,

Does anyone have an idea why there are some Coinminer activities where IPS detects them as "Audit" (and of course are not blocked by default) but most of them are detected as "System Infected" or "Web Attack" as per the attached screenshot?
Why there are Coinminers detected as Audit and not as other type of attack and to be automatically blocked.
The screenshot shows some of the Coinminer signatures exported from the IPS policy

Hi Stefan,

We are not able to provide specific reasons as to why we differentiate Audit sigs vs. non-audit sigs.  The most likely reason is due to the possibility of increased FPs with the signatures.

------------------------------
John Owens
Strategic Support Engineer | Symantec Endpoint Security Division (SES)
Broadcom Software
------------------------------

Original Message:
Sent: 10-15-2021 12:01 PM
From: Stefan
Subject: IPS and Coinminer related activity

Hi John, yes I know this, but still the question is why these 4 Coinminer (JS.Coinminer, Trojan.Coinminer) related signatures are Audit and not like the rest from the screenshot? What is the reason, Symantec thinks that his Coinminer traffic is normal and just logging it or there is another reason to leave them as Audit?
Original Message:
Sent: 10-15-2021 11:49 AM
From: John Owens
Subject: IPS and Coinminer related activity

Audit signatures are never blocked by default. This is to protect against possible FPs.  If you would like to set these to Block you have the option to do so.  This should be tested though for adverse effects.

------------------------------
John Owens
Strategic Support Engineer | Symantec Endpoint Security Division (SES)
Broadcom Software

Original Message:
Sent: 10-15-2021 07:27 AM
From: Stefan
Subject: IPS and Coinminer related activity

I know that I can set these Allow signatures to Block but still doesn't make sense why only 4 Coinminer related signatures are set as "Audit" (and by default traffic is allowed) whereas all other are blocking such traffic and are not Audit signatures (as per my screenshot above)
Original Message:
Sent: 10-15-2021 03:22 AM
From: Andreas Brogren
Subject: IPS and Coinminer related activity

Hi,

An Audit signature is created for scenarios where you not necessary would like to block the traffic directly. This can be because of the risk of false positives as an example.

You're adviced to change these signatures to block if you're not seeing any detections for these signatures on legitimate traffic in your environment.

Here you have an example for "Audit: JSCoinminer Download 3".

https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=30352

Response

Unless otherwise known, any unintended coin-miner Activity in this network traffic should be treated as Malicious. Actions should be taken to suspend and audit the communication and potentially block this network Activity from further communication.

It is advised to block this traffic using the process mentioned in the following link:
https://knowledge.broadcom.com/external/article/176042/about-endpoint-protection-audit-signatur.html

Original Message:
Sent: 10-14-2021 10:23 AM
From: Stefan
Subject: IPS and Coinminer related activity

Hello,

Does anyone have an idea why there are some Coinminer activities where IPS detects them as "Audit" (and of course are not blocked by default) but most of them are detected as "System Infected" or "Web Attack" as per the attached screenshot?
Why there are Coinminers detected as Audit and not as other type of attack and to be automatically blocked.
The screenshot shows some of the Coinminer signatures exported from the IPS policy