Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Intrusion Prevention not working correctly (Bug in IPS system [ZeroAccess])
  •  
rbell

Messages: 7
Karma: 0
Send a private message to this user
I have been using Kerio for a while now without issue, however, since recently I have noticed that the Intrusion Prevention system is not working correctly. The existing configuration was already tested and confirmed working up to 1 month ago.

It appears that the threat known as ZeroAccess is not being blocked by Kerio IPS even though it is being detected.

Setting on IPS
Log and Drop for High, Medium, Low

Logs
[23/Oct/2013 08:35:31] IPS: Alert, severity: High, Rule ID: 1:2015482 ET TROJAN ZeroAccess Outbound udp traffic detected, proto:UDP, ip/port:192.168.5.171:58220 (xxx.xxx.com, user:xxx<_at_>xxx) -> 98.95.136.13:16465 (adsl-98-95-136-13.jan.bellsouth.net)
[23/Oct/2013 09:23:02] IPS: Alert, severity: High, Rule ID: 1:2015482 ET TROJAN ZeroAccess Outbound udp traffic detected, proto:UDP, ip/port:192.168.5.171:55873 (xxx.xxx.com, user:xxx<_at_>xxx.COM) -> 182.155.109.83:16465 (182-155-109-83.veetime.com)
[25/Oct/2013 08:24:56] IPS: Alert, severity: High, Rule ID: 1:2015482 ET TROJAN ZeroAccess Outbound udp traffic detected, proto:UDP, ip/port:192.168.5.171:54812 (xxx.xxx.com, user:xxx<_at_>xxx.COM) -> 115.162.220.54:16465 (pa2dc36.gunmnt01.ap.so-net.ne.jp)
[25/Oct/2013 08:34:56] IPS: Alert, severity: High, Rule ID: 1:2015482 ET TROJAN ZeroAccess Outbound udp traffic detected, proto:UDP, ip/port:192.168.5.171:54812 (xxx.xxx.com, user:xxx<_at_>xxx) -> 1.23.252.193:16465

Parts of the above log has been masked for security reasons.

Under a normal circumstance the packet would be dropped rather that the status of "Alert". With an alert status the packet is only recorded but not blocked and is resulted in unfavorable issues.

Has anyone else had this problem? The configuration seems to be fine im wondering if it is a bug in the IPS component.
Previous Topic: Strange UPnP error, doesn't work
Next Topic: Port Forwarding - Define Additional IP Addresses
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Aug 18 07:00:37 CEST 2017

Total time taken to generate the page: 0.00358 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.