We have a managed 12.1.6 mp3 endpoint that is getting a popup regularly off the task bar icon that "[SID: 28375] System Infected: Trojan.Cridex.Activity 8 detected", and Intrusion prevention then pops up blocking 3 different internet IPs.
First question I suppose, is the infection on this machine, or being detected inbound. Quarantine and AV logs show nothing. Normally a pop up window will open when an infected file is found, not a message off of the task bar.
Second question, I aded firewall rules to block those IP's, but that did nothing. Is Intrusion Protection firing on them before the firewall rules fire and block them? As far an I know, all you can do is set up an allow for Intrusion, but if the end user isnt infected, I would prefer to block the attack so they don't get a notification constantly.
Any knowledge transfer would be appreciated. Thanks