John,
Just wanted to confirm that I removed the IPS exception this morning at 10:35AM PST that I'd created last week to try to stop the IPS false alerts
Exception was based on...
I have not had another IPS alert from "[SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked." since I've removed that IPS exception based on [SID: 33113]
Also looks like OUR SEPM has been updated since this morning with newer IPS definitions now
Thanks for your willingness to assist with the false alerts.
Take care.
------------------------------
Skagit County Government
------------------------------
Original Message:
Sent: 06-28-2021 01:30 PM
From: John Owens
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Please just remove the one you added and let us know if that stops the alerts.
------------------------------
John Owens
Strategic Support Engineer | Symantec Enterprise Division (SED)
Symantec
United States
Original Message:
Sent: 06-28-2021 01:22 PM
From: Clint Gayle
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
John,
Which 3 SIDs should I add, can you please confirm?
I've already added 1 SID last week to allow and not log traffic, but that didn't stop the false alerts.
------------------------------
Skagit County Government
Original Message:
Sent: 06-28-2021 01:08 PM
From: John Owens
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
The issue is resolved on our end. If you added IPS Exclusions for these 3 SIDs, please remove them. Report back if that takes care of the alerts.
------------------------------
John Owens
Strategic Support Engineer | Symantec Enterprise Division (SED)
Symantec
United States
Original Message:
Sent: 06-28-2021 10:29 AM
From: Alejandro Gonzalez
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Sorry, I though that the definitions that were problematic were the Virus and Spyware Protection ones. Wrong images attached.
Is there any updates on this?
Regards
Thanks
Original Message:
Sent: 06-25-2021 08:46 PM
From: John Owens
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Any dated 4/25 will work.
Original Message:
Sent: 6/25/2021 8:31:00 PM
From: JoshuaT
Subject: RE: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
As of now, the below URL is showing that IPS 6/25/21 rev 61 is the latest. When will R71 be certified and show on this site.
https://www.broadcom.com/support/security-center/definitions?pid=sep14
------------------------------
Badgley Phelps and Bell
Original Message:
Sent: 06-25-2021 05:44 PM
From: John Owens
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
I just received confirmation that all of these have been turned off with 6/25/2021 R71 IPS defs. Once clients update IPS content to this date the alerts should stop.
------------------------------
John Owens
Strategic Support Engineer | Symantec Enterprise Division (SED)
Symantec
United States
Original Message:
Sent: 06-25-2021 05:28 PM
From: John Owens
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
HI All,
If you see alerts coming into the SEPM, please check what definitions are loaded on the clients sending these alerts under "Network and Host Exploit Mitigation" If it is not 6/24/21 R 71 or newer you will need to update the content on those clients to stop this from happening.
If you have clients with "Network and Host Exploit Mitigation" at 6/24/21 or 6/25/21 still logging this we will need to investigate. Please run a Symdiag and upload to a case you have for investigation. Or send directly to me.
Thanks,
John Owens
------------------------------
John Owens
Strategic Support Engineer | Symantec Enterprise Division (SED)
Symantec
United States
Original Message:
Sent: 06-25-2021 05:13 PM
From: John Owens
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
When you updated IPS did it go to 6/25/2021 Rev 71?
------------------------------
John Owens
Strategic Support Engineer | Symantec Enterprise Division (SED)
Symantec
United States
Original Message:
Sent: 06-25-2021 04:08 PM
From: Unknown User
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
There's way more in here than you need but do with it what you will. I did download the latest IPS on the server and then forced a policy update on the workstation but, no change.
Thank you!
Original Message:
Sent: 06-25-2021 02:16 PM
From: John Owens
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Hi All,
Has everyone confirmed clients sending these alerts are running IPS Content June 24, 2021 r71
If so can I get a Symdiag from one of these clients, please?
https://support.symantec.com/en_US/article.TECH203029.html
------------------------------
John Owens
Strategic Support Engineer | Symantec Enterprise Division (SED)
Symantec
United States
Original Message:
Sent: 06-25-2021 12:24 PM
From: JOSHUA THOMPSON
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Shoudnt we be able to add an Exception to the IPS rules for this?
------------------------------
Badgley Phelps and Bell
Original Message:
Sent: 06-25-2021 11:45 AM
From: JOSHUA THOMPSON
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
What a mess!
------------------------------
Badgley Phelps and Bell
Original Message:
Sent: 06-25-2021 11:45 AM
From: Unknown User
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Hi Joshua - we haven't turned off the notifications on our end. Did not want to risk that a true threat would go unnoticed. Good luck!
Original Message:
Sent: 06-25-2021 11:41 AM
From: JOSHUA THOMPSON
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Correction. I have not stopped the email alerts. Can anybody suggest how to stop these alerts? My IPS exception in place does not appear to be working (Allow, Do not log)
------------------------------
Badgley Phelps and Bell
Original Message:
Sent: 06-25-2021 11:24 AM
From: Unknown User
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Good luck Stefan. We opened a case on Tuesday. Still not fixed.
Original Message:
Sent: 06-25-2021 09:48 AM
From: Stefan Karamihaylov
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
In regards to the support....I also opened a case yesterday and so far no response. So may be we have to wait here for John Owens to tell us what is the latest status because from what I see the events are still generated
Original Message:
Sent: 06-25-2021 09:08 AM
From: JOSHUA THOMPSON
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Same issue here. SEPM (14.3.558.0000) running definitions 6/24/21 r21. These appear to be the latest auto download definitions
available for me.
Are these alerts simply letting us know that Windows Defender is disabled?
I added an IPS exception for this SID with Allow and 'Do not log' as the action. This stopped the hundreds of email alerts but I am still seeing the notifications on the SEPM console.
I have ticket number 60000438 opened with support and their response is very slow.
------------------------------
Badgley Phelps and Bell
Original Message:
Sent: 06-25-2021 01:05 AM
From: Systems Team
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Hi John,
Yep, we're still seeing them. This is on IPS def's dated "Thursday, 24 June 2021 r71".
We are in Western Australia (GMT +8). Last def updates were around 8:49 am this morning (which would have been r71). Time is 1:04 pm now, and have just had another of these alerts.
Steve
Original Message:
Sent: 06-24-2021 08:35 PM
From: John Owens
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Please let me know if this is still happening for you with June 24, 2021 r71 or newer IPS content.
Thanks
------------------------------
John Owens
Strategic Support Engineer | Symantec Enterprise Division (SED)
Symantec
United States
Original Message:
Sent: 06-24-2021 01:20 PM
From: Stefan Karamihaylov
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
To be honest I am also not happy with the support for past few years.
But from my experience so far, looks like here in the forum we can get faster response from some of the Symantec engineers (especially when John Owens is at work) than waiting for someone to respond to our tickets.
Original Message:
Sent: 06-24-2021 12:35 PM
From: Clint Gayle
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
We opened a case with Broadcom after starting to see numerous alerts once our IPS definitions were updated on 6/22/21 LiveUpdate Defs ID 20210622.061, did a packet capture, and were told they couldn't reproduce the issue. After researching this, but initially not seeing anything online other than realizing that this seems to be triggered from our old group policy that disables windows defender since we use SEP, it seemed to be a false positive. Sent off information about this to a off-premise security team as well. I still have a packet capture ongoing, and ran a gpupdate /force but nothing showed up again on the alerts while trying to force it to be triggered again. We've now had 552 alerts, and we are thinking about moving to a new endpoint protection solution provider due to the lack of response from Broadcom.
------------------------------
Skagit County Government
Original Message:
Sent: 06-24-2021 10:29 AM
From: Stefan Karamihaylov
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Thanks, so waiting for the new IPS defs
Original Message:
Sent: 06-24-2021 10:26 AM
From: John Owens
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
These are audit signatures that trigger on group policies - which are mostly received on the computer when they start up, hence there are high number of pings. I would treat them as false detections at this point.
------------------------------
John Owens
Strategic Support Engineer | Symantec Enterprise Division (SED)
Symantec
United States
Original Message:
Sent: 06-24-2021 10:18 AM
From: Stefan Karamihaylov
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Thanks for the update John, so we can assume that these are false detections, correct?
What triggered these detections, was it something related to GPO or something else?
Original Message:
Sent: 06-24-2021 10:12 AM
From: John Owens
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Hi Stefan,
We have noticed this as well. We will be disabling logging on these Audit signatures with a new IPS update today. Please stand by.
------------------------------
John Owens
Strategic Support Engineer | Symantec Enterprise Division (SED)
Symantec
United States
Original Message:
Sent: 06-24-2021 10:04 AM
From: Stefan Karamihaylov
Subject: [SID: 33113] Audit: Group Policy Disable Windows Defender attack detected but not blocked. Application path: SYSTEM
Hello,
Anyone else seeing these events from IPS? We started getting them since yesterday on all Win 10 computers.
SEP versions are different, 14.3, 14.3 RU1 MP1, IPS signatures are with date 23/06/2021 rev 61 (for 14.3) and rev 71 (for 14.3 RU1 MP1).
Nothing was changed from GPO side. Was there some update in the IPS signatures from Broadcom side that may cause these events?