Endpoint Protection

Expand all | Collapse all

IPS and Coinminer related activity

  • 1.  IPS and Coinminer related activity

    Posted 2 days ago
      |   view attached
    Hello,

    Does anyone have an idea why there are some Coinminer activities where IPS detects them as "Audit" (and of course are not blocked by default) but most of them are detected as "System Infected" or "Web Attack" as per the attached screenshot?
    Why there are Coinminers detected as Audit and not as other type of attack and to be automatically blocked.
    The screenshot shows some of the Coinminer signatures exported from the IPS policy


  • 2.  RE: IPS and Coinminer related activity

    Posted 2 days ago
    Hi,

    An Audit signature is created for scenarios where you not necessary would like to block the traffic directly. This can be because of the risk of false positives as an example.

    You're adviced to change these signatures to block if you're not seeing any detections for these signatures on legitimate traffic in your environment.

    Here you have an example for "Audit: JSCoinminer Download 3".

    https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=30352

    Response

    Unless otherwise known, any unintended coin-miner Activity in this network traffic should be treated as Malicious. Actions should be taken to suspend and audit the communication and potentially block this network Activity from further communication.

    It is advised to block this traffic using the process mentioned in the following link:
    https://knowledge.broadcom.com/external/article/176042/about-endpoint-protection-audit-signatur.html




  • 3.  RE: IPS and Coinminer related activity

    Posted 2 days ago
    I know that I can set these Allow signatures to Block but still doesn't make sense why only 4 Coinminer related signatures are set as "Audit" (and by default traffic is allowed) whereas all other are blocking such traffic and are not Audit signatures (as per my screenshot above)


  • 4.  RE: IPS and Coinminer related activity

    Broadcom Employee
    Posted 2 days ago
    Audit signatures are never blocked by default. This is to protect against possible FPs.  If you would like to set these to Block you have the option to do so.  This should be tested though for adverse effects.

    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Endpoint Security Division (SES)
    Broadcom Software
    ------------------------------



  • 5.  RE: IPS and Coinminer related activity

    Posted 2 days ago
    Hi John, yes I know this, but still the question is why these 4 Coinminer (JS.Coinminer, Trojan.Coinminer) related signatures are Audit and not like the rest from the screenshot? What is the reason, Symantec thinks that his Coinminer traffic is normal and just logging it or there is another reason to leave them as Audit?


  • 6.  RE: IPS and Coinminer related activity

    Broadcom Employee
    Posted 2 days ago

    Hi Stefan,

    We are not able to provide specific reasons as to why we differentiate Audit sigs vs. non-audit sigs.  The most likely reason is due to the possibility of increased FPs with the signatures.



    ------------------------------
    John Owens
    Strategic Support Engineer | Symantec Endpoint Security Division (SES)
    Broadcom Software
    ------------------------------