Afternoon All,
After searching all over the place, I am totally scratching my head with this issue. Over the last week, end point has been reporting Critical "Intrusion Prevention" events with the following message:
[SID: 28665] System Infected: Trojan.Backdoor Activity 179 attack blocked. Traffic has been blocked for this application: SYSTEM
What is puzzling me is the Direction of the events are "outgoing" and are being reported as if they came from our web server port which is 80.
Protocol: TCP
Direction: Outgoing
Remote host: xxx.xxx.xxx.xxx (external net address)
Remote Port: 24252 (random really)
Remote MAC N/A
Local host 192.168.4.2 (NAT)
Local Port: 80
Local Mac: N/A
Application: SYSTEM
Signature Id: 28665
Signature SubID: 72438
Signature Name: System Infected: Trojan.Backdoor Activity 179
Intrusion-URL: yyy.yyy.yyy.yyy/admin/ (our external IP address - i.e. yyy.yyy.yyy.yyy maps to 192.168.4.2)
Server: Microsoft 2016
I've done of the usual checks and done multiple full scans and I cannot find anything. I am beginning to believe that "outgoing" means the outgoing packet response has been blocked and not the in-bound request.
Does Endpoint do this type of confusing reporting? Should I actually be REALLY worried? What else can I look for? I would really appreciate some help on this one?
Thanks in advance,
M