The signature [SID: 31485] Infected system: Trojan.Backdoor Activity 410 no longer appears on the IPS.
I think it was really a false positive and a Broadcom removed that signature on IPS.
------------------------------
DSR9 Tecnologia da Informacao LTDA
------------------------------
Original Message:
Sent: 09-10-2020 04:30 PM
From: Torbjørn Remmen
Subject: [SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked
We are seeing multiple "[SID: 31485] System Infected: Trojan.Backdoor Activity 410 attack blocked" attacks against multiple Domain Controllers on kerberos UDP 88 against LSASS.exe, coming from a VMware Host.
They started a minute after the latest IPS signature was applied.
Is anyone else seeing these detections? Looks like a false positive, but would like confirmation.