Audit signatures are never blocked by default. This is to protect against possible FPs. If you would like to set these to Block you have the option to do so. This should be tested though for adverse effects.
------------------------------
John Owens
Strategic Support Engineer | Symantec Endpoint Security Division (SES)
Broadcom Software
------------------------------
Original Message:
Sent: 10-15-2021 07:27 AM
From: Stefan
Subject: IPS and Coinminer related activity
I know that I can set these Allow signatures to Block but still doesn't make sense why only 4 Coinminer related signatures are set as "Audit" (and by default traffic is allowed) whereas all other are blocking such traffic and are not Audit signatures (as per my screenshot above)
Original Message:
Sent: 10-15-2021 03:22 AM
From: Andreas Brogren
Subject: IPS and Coinminer related activity
Hi,
An Audit signature is created for scenarios where you not necessary would like to block the traffic directly. This can be because of the risk of false positives as an example.
You're adviced to change these signatures to block if you're not seeing any detections for these signatures on legitimate traffic in your environment.
Here you have an example for "Audit: JSCoinminer Download 3".
https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=30352
Response
Unless otherwise known, any unintended coin-miner Activity in this network traffic should be treated as Malicious. Actions should be taken to suspend and audit the communication and potentially block this network Activity from further communication.
It is advised to block this traffic using the process mentioned in the following link:
https://knowledge.broadcom.com/external/article/176042/about-endpoint-protection-audit-signatur.html
Original Message:
Sent: 10-14-2021 10:23 AM
From: Stefan
Subject: IPS and Coinminer related activity
Hello,
Does anyone have an idea why there are some Coinminer activities where IPS detects them as "Audit" (and of course are not blocked by default) but most of them are detected as "System Infected" or "Web Attack" as per the attached screenshot?
Why there are Coinminers detected as Audit and not as other type of attack and to be automatically blocked.
The screenshot shows some of the Coinminer signatures exported from the IPS policy