Endpoint Protection

 View Only
Expand all | Collapse all

[SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

  • 1.  [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 24, 2021 10:04 AM
    Hello,

    Anyone else seeing these events from IPS? We started getting them since yesterday on all Win 10 computers.
    SEP versions are different, 14.3, 14.3 RU1 MP1, IPS signatures are with date 23/06/2021 rev 61 (for 14.3) and rev 71 (for 14.3 RU1 MP1).

    Nothing was changed from GPO side. Was there some update in the IPS signatures from Broadcom side that may cause these events?


  • 2.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Broadcom Employee
    Posted Jun 24, 2021 10:13 AM

    Hi Stefan,

    We have noticed this as well. We will be disabling logging on these Audit signatures with a new IPS update today. Please stand by.



    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Enterprise Division (SED)
    Symantec
    United States
    ------------------------------



  • 3.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 24, 2021 10:18 AM
    Thanks for the update John, so we can assume that these are false detections, correct?
    What triggered these detections, was it something related to GPO or something else?


  • 4.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Broadcom Employee
    Posted Jun 24, 2021 10:26 AM
    These are audit signatures that trigger on group policies - which are mostly received on the computer when they start up, hence there are high number of pings. I would treat them as false detections at this point.

    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Enterprise Division (SED)
    Symantec
    United States
    ------------------------------



  • 5.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 24, 2021 10:30 AM
    Thanks, so waiting for the new IPS defs


  • 6.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 24, 2021 12:36 PM
    We opened a case with Broadcom after starting to see numerous alerts once our IPS definitions were updated on 6/22/21 LiveUpdate Defs ID 20210622.061, did a packet capture, and were told they couldn't reproduce the issue.  After researching this, but initially not seeing anything online other than realizing that this seems to be triggered from our old group policy that disables windows defender since we use SEP, it seemed to be a false positive.  Sent off information about this to a off-premise security team as well.  I still have a packet capture ongoing, and ran a gpupdate /force but nothing showed up again on the alerts while trying to force it to be triggered again.  We've now had 552 alerts, and we are thinking about moving to a new endpoint protection solution provider due to the lack of response from Broadcom.

    ------------------------------
    Skagit County Government
    ------------------------------



  • 7.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Broadcom Employee
    Posted Jun 24, 2021 12:38 PM
    This should be addressed today. What was your case number?

    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Enterprise Division (SED)
    Symantec
    United States
    ------------------------------



  • 8.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 24, 2021 07:08 PM
    Case # 32751711​


  • 9.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 24, 2021 01:20 PM
    To be honest I am also not happy with the support for past few years.
    But from my experience so far, looks like here in the forum we can get faster response from some of the Symantec engineers (especially when John Owens is at work) than waiting for someone to respond to our tickets.


  • 10.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Broadcom Employee
    Posted Jun 24, 2021 08:35 PM

    Please let me know if this is still happening for you with June 24, 2021 r71 or newer IPS content.

    Thanks



    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Enterprise Division (SED)
    Symantec
    United States
    ------------------------------



  • 11.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 25, 2021 01:06 AM
    Hi John,

    Yep, we're still seeing them.  This is on IPS def's dated "Thursday, 24 June 2021 r71".

    We are in Western Australia (GMT +8).  Last def updates were around 8:49 am this morning (which would have been r71).  Time is 1:04 pm now, and have just had another of these alerts.

    Steve



  • 12.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 25, 2021 09:08 AM
    Same issue here.    SEPM (14.3.558.0000) running definitions 6/24/21 r21.  These appear to be the latest auto download definitions
    available for me.

    Are these alerts simply letting us know that Windows Defender is disabled?   

    I added an IPS exception for this SID with Allow and 'Do not log' as the action.   This stopped the hundreds of email alerts but I am still seeing the notifications on the SEPM console.  

    I have ticket number 60000438 opened with support and their response is very slow.



    ------------------------------
    Badgley Phelps and Bell
    ------------------------------



  • 13.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 25, 2021 09:48 AM
    In regards to the support....I also opened a case yesterday and so far no response. So may be we have to wait here for John Owens to tell us what is the latest status because from what I see the events are still generated


  • 14.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 25, 2021 11:25 AM
    Good luck Stefan.  We opened a case on Tuesday.  Still not fixed.


  • 15.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 25, 2021 11:41 AM
    Correction. I have not stopped the email alerts.  Can anybody suggest how to stop these alerts?  My IPS exception in place does not appear to be working (Allow, Do not log)

    ------------------------------
    Badgley Phelps and Bell
    ------------------------------



  • 16.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 25, 2021 11:45 AM
    Hi Joshua - we haven't turned off the notifications on our end.  Did not want to risk that a true threat would go unnoticed.  Good luck!


  • 17.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 25, 2021 11:46 AM
    What a mess!

    ------------------------------
    Badgley Phelps and Bell
    ------------------------------



  • 18.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 25, 2021 12:25 PM
    Shoudnt we be able to add an Exception to the IPS rules for this?

    ------------------------------
    Badgley Phelps and Bell
    ------------------------------



  • 19.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Broadcom Employee
    Posted Jun 25, 2021 02:17 PM

    Hi All,

    Has everyone confirmed clients sending these alerts are running IPS Content June 24, 2021 r71


    If so can I get a Symdiag from one of these clients, please?

    https://support.symantec.com/en_US/article.TECH203029.html



    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Enterprise Division (SED)
    Symantec
    United States
    ------------------------------



  • 20.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 25, 2021 04:08 PM
    There's way more in here than you need but do with it what you will.  I did download the latest IPS on the server and then forced a policy update on the workstation but, no change.

    Thank you!


  • 21.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Broadcom Employee
    Posted Jun 25, 2021 05:13 PM

    Hi Sandra,

    Did you upload a Symdiag?

    Thanks,

    John Owens



    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Enterprise Division (SED)
    Symantec
    United States
    ------------------------------



  • 22.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 25, 2021 05:40 PM
    Did you NOT get the Sym Diag?


  • 23.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Broadcom Employee
    Posted Jun 25, 2021 05:41 PM
    I did not. Can you upload to your case and I will pull it down from there?

    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Enterprise Division (SED)
    Symantec
    United States
    ------------------------------



  • 24.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Broadcom Employee
    Posted Jun 25, 2021 05:14 PM
    When you updated IPS did it go to 6/25/2021 Rev 71?

    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Enterprise Division (SED)
    Symantec
    United States
    ------------------------------



  • 25.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Broadcom Employee
    Posted Jun 25, 2021 05:29 PM

    HI All,

    If you see alerts coming into the SEPM, please check what definitions are loaded on the clients sending these alerts under "Network and Host Exploit Mitigation"  If it is not 6/24/21 R 71 or newer you will need to update the content on those clients to stop this from happening.  

    If you have clients with "Network and Host Exploit Mitigation" at 6/24/21 or 6/25/21 still logging this we will need to investigate. Please run a Symdiag and upload to a case you have for investigation. Or send directly to me.

    Thanks,
    John Owens



    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Enterprise Division (SED)
    Symantec
    United States
    ------------------------------



  • 26.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Broadcom Employee
    Posted Jun 25, 2021 05:45 PM

    I just received confirmation that all of these have been turned off with 6/25/2021 R71 IPS defs.  Once clients update IPS content to this date the alerts should stop.



    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Enterprise Division (SED)
    Symantec
    United States
    ------------------------------



  • 27.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 25, 2021 08:31 PM
    As of now, the below URL is showing that IPS 6/25/21 rev 61 is the latest.   When will R71 be certified and show on this site.

    https://www.broadcom.com/support/security-center/definitions?pid=sep14

    ------------------------------
    Badgley Phelps and Bell
    ------------------------------



  • 28.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Broadcom Employee
    Posted Jun 25, 2021 08:47 PM
    Any dated 4/25 will work. 






  • 29.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 25, 2021 11:28 PM
    My clients have IPS definitions 6/25/21 R61 installed and the alerts are still coming.

    ------------------------------
    Badgley Phelps and Bell
    ------------------------------



  • 30.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Broadcom Employee
    Posted Jun 26, 2021 01:19 PM

    Please provide a Symdiag following this document:  

    How to collect full support logs for Support with the SymDiag utility



    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Enterprise Division (SED)
    Symantec
    United States
    ------------------------------



  • 31.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 26, 2021 04:54 PM
    IS there a private way to submit the SymDiag results.  I dont have a Symantec ticket.   My ticket is through a Broadcom reseller.

    ------------------------------
    Badgley Phelps and Bell
    ------------------------------



  • 32.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 28, 2021 09:11 AM
    Looks like this is fixed, we are not getting these alerts anymore


  • 33.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 28, 2021 10:39 AM
    Hello. We are having the same issues with the newest updates. For instance, this server have the virus definitions from 06/27/2021 r8

    And you can see that it has triggered the alert a few minutes ago:

    I have opened a Broadcom Case with the ID 32754352. A technician has called me and he told me to modify some policy settings, but the problem isn't fixed. 
    Thanks



  • 34.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 28, 2021 11:58 AM
    Same story here.  We've had this issue with these false alerts since last Tuesday morning.  So, for almost a week now.  We already opened a case with Broadcom as well, the response was that they couldn't duplicate the issue.  I tried last week creating an exception to this signature in the IPS policies, and just allow the traffic without logging it, and the issue continues.  We now have over 1200 false positive alerts, and a lot of other groups are receiving the e-mail alerts very often, so it's just a nuisance.  Our liveupdate checks every 4 hours, and we're currently running IPS definitions from 6/25/2021 r61.  I would think many customers who use Microsoft Windows and Broadcom endpoint security would have to disable Windows defender using a group policy, so why we'd even need a signature to detect that disabled group policy makes zero sense.  Maybe sometime today the alerts will finally stop if the iPS definitions are able to auto update to  6/25/2021 R71 IPS defs...

    ------------------------------
    Skagit County Government
    ------------------------------



  • 35.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 28, 2021 10:39 AM
    Edited by Alejandro Gonzalez Jun 28, 2021 11:45 AM
    Sorry, I though that the definitions that were problematic were the Virus and Spyware Protection ones. Wrong images attached.

    Is there any updates on this?

    Regards

    Thanks


  • 36.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Broadcom Employee
    Posted Jun 28, 2021 01:09 PM
    The issue is resolved on our end. If you added IPS Exclusions for these 3 SIDs, please remove them. Report back if that takes care of the alerts.

    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Enterprise Division (SED)
    Symantec
    United States
    ------------------------------



  • 37.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 28, 2021 01:23 PM
    John,

    Which 3 SIDs should I add, can you please confirm?

    I've already added 1 SID last week to allow and not log traffic, but that didn't stop the false alerts.


    ------------------------------
    Skagit County Government
    ------------------------------



  • 38.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Broadcom Employee
    Posted Jun 28, 2021 01:31 PM
    Please just remove the one you added and let us know if that stops the alerts.

    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Enterprise Division (SED)
    Symantec
    United States
    ------------------------------



  • 39.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jun 28, 2021 06:41 PM
    John,

    Just wanted to confirm that I removed the IPS exception this morning at 10:35AM PST that I'd created last week to try to stop the IPS false alerts 

    Exception was based on...

    I have not had another IPS alert from "[SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked." since I've removed that IPS exception based on [SID: 33113] 

    Also looks like OUR SEPM has been updated since this morning with newer IPS definitions now

    Thanks for your willingness to assist with the false alerts.

    Take care.

    ------------------------------
    Skagit County Government
    ------------------------------



  • 40.  RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM

    Posted Jul 01, 2021 09:55 AM
    Confirmed.  Removing the exception stopped the alert.  Thank you!

    This is great but does not make sense to me.  Why would removing an exception stop an email alert? 


    ------------------------------
    Badgley Phelps and Bell
    ------------------------------