Endpoint Protection

Good Afternoon,

this SEP Notification is apperaing on one of my Clients computer:

Traffic from IP Address 192.168.15.7 is blocked from 12/9/2011 12:54:55 pm to 12/9/2011 01:04:55 pm.

[SID: 24125] Web Attack: Malicious Cookie Activity detected.

192.168.15.7 in my network is TMG Server...

any ideas?

Hello,

Please check this:

Web Attack: Malicious Cookie Activity

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=24125

Adobe Reader and Acrobat 'newplayer()' JavaScript Method Remote Code Execution Vulnerability

http://www.securityfocus.com/bid/37331/exploit

Plan of Action:

1) Please disable all the Adobe Addin from the Browser being used on your Computer

2) Update all the MS Security Patches on the machine

3) Update Adobe and all related Softwares on the machine.

4) Run the Symantec Power Eraser. (business users)
5) Update your product definitions and perform a full system scan.
6) Identify suspicious files.
7) Submit suspicious files to Symantec for analysis.

Hope that helps!!

It's the setting on the Intrusion Prevention,

• Automatically block an attacker’s IP address – Blocks network traffic from the attacker for a configurable duration (default 10 minutes)

What is the SEP client version? You may need to upgrade to the latest one, or uncheck the settings to block it for 10 minutes.

Thumbs up to Mithun Sanghavi 's advice on the link given . It's the same SID related to zero day attack on Adobe.

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=24125

Follow the Plan of action suggested by Mithun Sanghavi .

i upgraded client version on 11.0.7 version...

since this time there was no notification yet..

i ll monitor it and is something i'll post here

thanks

also you update the adobe applications to the latest version.And any suspicious file you see submit to symantec.

Hello,

You may like to check this Latest Symantec BLOG: 

Adobe Reader Zero-day being exploited in the wild