Endpoint Protection

I'm getting Heartbleed IPS notifications in the system tray, but I can find no logs of it anywhere. There is no persistent log of the details of the event (like the source of the traffic).

Where do I get or configure that information?

Check the Security log on the client for any IPS notifications.

In the SEPM go to Monitors >> Logs

Set log type to Network Threat Protection

Set log content to Attacks

Use the Advanced Settings if you want to get granular with filtering

Click View Log when complete

See this link for reference:

Where are Intrusion Prevention events logged on the Symantec Endpoint Protection Client and Symantec Endpoint Protection Manager?

whats the version of your SEPM?  if you are already on MR4 MP1a, it might be a false positive, you can check the sec logs , monitors -logs - section

Hi,

Thank you for posting in Symantec community.

What's the SEPM & SEP client version?

Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1A (12.1.4104.4130 - 12.1 RU4 MP1a) English has been released and is now available for customers to download on FlexNet. This new SEPM release addresses the OpenSSL “Heart Bleed” vulnerability. Additional language versions will become available throughout the week.

Please refer to the following KB article for additional detail:

Is Symantec Endpoint Protection affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)

SEPM version: Version: 12.1.4023.4080

When I go to Monitors > Logs > NTP > Attacks, the result is empty. No filters except the default "24 hours".

I can confirm that I have personally seen 2 alerts from my machine's SEP client. If it is a false positive, then it should still be logged so that I can confirm. Version should not matter. If there is an alert, it must be logged. 

Have you checked the Security log on the affected client to verify? Also verify the client is connecting to the SEPM.

Also, check to ensure the Security logs from the clients are being uploaded to the SEPM.

Logs on client are empty. Not sure how to verify that logs are being uploaded when client logs are empty (nothing to correlate).

In the SEPM if you go to Clients page >> Policies tab >> Client Log Settings

There should be a check in the box for "Upload to management server" for the Security Logs section

Either way sounds like something else is going on. And yes even if a false positive would still be logged...Is anthing of relevance showing in the System log?

Did this just happen or was it over the course of a few days?

After checking, all clients are set to upload to the server by default.

I have only seen those alerts today. I normally never see alerts in the system tray. 

I am now very concerned that the SEPM NTP log is empty ....

Can't say I've seen this before. I would put in a call to support asap. It may be quicker than trying to troubleshoot remotely here :)

You did not understand my question. It's not about Heartbleed, but about the lack of logs that correspond to an alert that showed up in the client system tray. The alert happened to be about Heartbleed, but that is secondary to the issue.

Please check if IPS logging is working at all by downloading the eicar.com test file from
http://www.eicar.org/85-0-Download.html

In the Security log, you should get an entry with SID 24461

This is a great suggestion
 

Hi ricercar,

Just checking to see if you have received our answwer on this?  The thread is still marked "needs solution."

One easy way to spot these IPS detections is in the Windows Application Event Logs.  Just look for Event ID 400 events logged from "Symantec Network Protection." An example (from a different threat....)

[SID: 26745] System Infected: W32.Changeup Domain Request attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DNS.EXE

Hope this helps!

Mick