Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Intrusion Prevention For Google Chrome Application

KimengIt

KimengItFeb 07, 2012 09:15 PM

Pete Thanks, I got it.
pete

peteFeb 07, 2012 11:44 PM

glad the forum helped :-)
Migration User

Migration UserFeb 20, 2012 02:23 AM

How should I get the log?

  • 1.  Intrusion Prevention For Google Chrome Application

    Posted Feb 07, 2012 01:31 AM

    We found that the Google Chrome was logged by SEPM Network Threat protection and Compliance Event. I would like to know if whether Google chrome does contain some malicious traffic or it was just SEPM mist-definite the traffic to trigger the alarm?



  • 2.  RE: Intrusion Prevention For Google Chrome Application
    Best Answer

    Broadcom Employee
    Posted Feb 07, 2012 02:33 AM

    can you pass on the complete message pls?

    i believe it is the same error

    check this link to fix the issue

    https://www-secure.symantec.com/connect/forums/jabber-im-client-connection-detected#comment-5485431



  • 3.  RE: Intrusion Prevention For Google Chrome Application

    Trusted Advisor
    Posted Feb 07, 2012 06:49 AM

    Hello,

    I agree with pete.

    Again, If you want to exclude that then you to exclude that SSID from SEPM.

    It might be a False Positive or it can also be BHO, or add-in Loaded to your browser which is firing up this Alarm from IPS.

    To Exclude -

    In your sepm, open policies, IPS policies, make the SID 21596 from Block to allow.

    OR

    check this:

    http://www.symantec.com/docs/TECH104434

    Hope that helps!!



  • 4.  RE: Intrusion Prevention For Google Chrome Application

    Posted Feb 07, 2012 08:22 PM

    Mithun,

    How do I know if the client group is applying the IPS policies, If I try to definit custom IPS policies, how to I apply to specific client group? thanks.



  • 5.  RE: Intrusion Prevention For Google Chrome Application

    Broadcom Employee
    Posted Feb 07, 2012 08:55 PM

    Click on the group--> go to policy tab ---> select the IPS policy and see if it is one that ic created by you if not then it is default one.

    you can copy the existing policy from policy tab in SEPM console and edit to your need and then right click on it to assign to specific group.



  • 6.  RE: Intrusion Prevention For Google Chrome Application

    Posted Feb 07, 2012 09:15 PM

    Pete

    Thanks, I got it.



  • 7.  RE: Intrusion Prevention For Google Chrome Application

    Broadcom Employee
    Posted Feb 07, 2012 11:44 PM

    glad the forum  helped :-)



  • 8.  RE: Intrusion Prevention For Google Chrome Application

    Posted Feb 20, 2012 02:03 AM

    Dear Mithun

    It strange that I cannot modify the specific signature to change active behavior, but I saw the SID 21596 has been set to allow, 

    • I wonder if I am correct to set the IPS signature for either block or allow behavior in SEPM ?
    • Secondly, If the Signature has already been allow, why the IPS report still generate the report for that traffic?
    • Thirdly, should I put that signature to exceptions to totally ignore those signature monitoring (this I don prefer to)



  • 9.  RE: Intrusion Prevention For Google Chrome Application

    Broadcom Employee
    Posted Feb 20, 2012 02:17 AM

  • open a new thread :-). however try to answer your question

  •  

  • I wonder if I am correct to set the IPS signature for either block or allow behavior in SEPM ?

  • Yes, it is either "Allow" or "Block"

  •  

  • Secondly, If the Signature has already been allow, why the IPS report still generate the report for that traffic?

  • Is it is allowed, the traffic should not be blocked. can you pass on the logs?

  •  

  • Thirdly, should I put that signature to exceptions to totally ignore those signature monitoring (this I don prefer to)

  • yes, you can put as exception as a workaround.



  • 10.  RE: Intrusion Prevention For Google Chrome Application

    Posted Feb 20, 2012 02:23 AM

    How should I get the log?



  • 11.  RE: Intrusion Prevention For Google Chrome Application

    Broadcom Employee
    Posted Feb 20, 2012 02:45 AM

    from the client GUI, view logs for NTP field. Also you may attach the screen capture when the IPS signature is triggered.



  • 12.  RE: Intrusion Prevention For Google Chrome Application

    Posted Feb 20, 2012 03:25 AM
      |   view attached

    Dear pete,

     

    here is the log, for screen capture, I don't have it, as it happen at client side.

    Attachment(s)

    txt
    firewall_report_NTP.txt   6 KB 1 version


  • 13.  RE: Intrusion Prevention For Google Chrome Application

    Broadcom Employee
    Posted Feb 20, 2012 03:52 AM

    exception needs to be added

    02/20/2012 09:40:36,Intrusion Prevention,02/20/2012 09:38:22,Info,xxxxxx-PC,xxx.xxx.xxx.60,xxx.xxx.xxx.60,74.125.71.125,,TCP,Outbound,,02/19/2012 15:53:11,02/19/2012 15:53:11,,1,,001485A10DCA,000000000000,Default,userxxx,0,"Windows XP Professional","[SID: 21596] Audit: Jabber IM Client Connection detected.  Traffic has been allowed from this application: C:\Documents and Settings\userxxx\Local Settings\Application



  • 14.  RE: Intrusion Prevention For Google Chrome Application

    Posted Feb 20, 2012 04:24 AM

    Dear Pete

    But if it exclude this signature,it would be a great breaking point once other real threat attempt to attack through this exception. would this signature only specify for Google traffic?



  • 15.  RE: Intrusion Prevention For Google Chrome Application

    Broadcom Employee
    Posted Feb 20, 2012 04:43 AM

    you can set it to log and observe any security impact. Also i suggest to open a support case.