Symantec ATP 3.x: Troubleshoot intrusion attack

If your environment is having Symantec ATP 3.x version and Symantec Endpoint Manager (SEPM 14), then you would probably face this situation before where ATP detected intrusion prevention.

So this blog would be about an attack which ATP detected as an intrusion and indeed ATP did block it instantly. The attack is unexpected overwrite of the SEPM file. However, there could some endpoints faced that their SEPM is disabled unexpectedly.

Hence, you may receive 5% of endpoints faced this attack. Yea, funny right? and another thing is that these endpoints are probably those turn on once awhile or not within the premises/environment often. Yes, you may guess it!

It was SEPM update. What causes the SEPM to disabled unexpectedly is failed IPS update and also possible the workstation didn’t get restarted often or properly.

You could run SymDiag on the endpoint device to get more details about the problem that the endpoint is facing, then you could find a resolution for this problem. Just reinstall the SEPM and run a scan and run SymDiag to make sure is working well.

 

Author: sabrinaksy

Just a little girl who love what she does best.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s