I noticed a rather large number of informational notifications in my IPS product for "Weak SSL RC4 Cipher Suites" from client machines to gw03entry01.dis.symantec.com (216.10.195.252). Based on a quick search, this appears to be part of the back-end submission service. My question is: Why is Symantec using a cipher suite that has known weaknesses. I'm assuming it is so that network overhead is reduced, but I'd prefer that information I share with Symantec be properly encrypted/protected. Here is the pertinent information from an exemple log entry:
Event Name: Weak SSL RC4 Cipher Suites
Start Time: 08:03:22 18 Jul 2016
End Time: 08:05:21 18 Jul 2016
Detection Time: 08:03:22 18 Jul 2016
Last Update Time: 08:10:24 18 Jul 2016
Source: INTERNAL HOST REDACTED
Destination: gw03entry01.dis.symantec.com (216.10.195.252)
Service: N/A/443 tcp/443
Direction: Outgoing
Accepted connections: 2
Blocked connections: 0
Time Interval: 300
Peak connections: 2
Total connections: 2
Attack Name: SSL Enforcement Violation
Job Name: All online jobs
Event Definition Name: Generic IPS Event
Confidence Level: Medium
Attack Information: Weak SSL RC4 Cipher Suites
Protection Name: Weak SSL RC4 Cipher Suites
CVE List: CVE-2015-2808
Action: Detect
Source Port: 63072
Performance Impact: Medium
Protection Type: Signature
Destination Country: United States