I am running ENS 10.3 on a Windows 7 computer and often times i get intrusion alerts from the firewall but i am unable to decipher what it means. I cant find where in ENS or ePO I should go to check the Event ID (35001) so i can find out what it means.
When i used to use Mcafee HIPS you could always check what the intrusions alerts mean from within ePO is there a feature like this in ENS 10.3 ??
Can anyone explain what this intrusion alert means:
CHROME.EXE tried to access 126.96.36.199, violating the rule GTI Rule - TCP - Out and was Blocked.
Did you check the event on your ePO under the threat-events tab of the system?
You´ll normally find a bunch of information there.
YES! When i go to Threat Events Log in ePO i see detailed info there about the processes that triggered the intrusion violation but i do not see any explanation about the intrusion to say that for example: Chrome.exe process is trying to contact a bot C&C Server with suspious IP x.x.x.x and was blocked by Mcafee GTI.
Thanks for the reply, Hope you understand what i mean.
My assumption is that in policy you have "treat McAfee GTI match as intrusion" selected. With the intrustion alert this is simply saying that the chrome process attempted to access xxx.xxx.xxx.xxx via TCP outbound and was blocked. The ENSFW is very strict on rule enforcement, if it isn't explicitly cited in the rule/rules to allow said traffic it will block it outright. The question I would ask you is what is the ip that that machine was trying to hit? Is that a suspect IP, is that something a user should be attempting to access in your environment? Let me know at your earliest convenience.
I already did some checks on the IP (188.8.131.52) and it belonged to an ISP name Bodis LLC. The IP is linked to malware, ransomware and abuse, I am not sure if legitimate websites are hosted under that same IP and my computers are trying to reach the good sites on that IP block. I get like 3 alerts a day from only my Chrome users trying to access that IP and it gets block by Mcafee firewall and also my Perimeter firewall with IPS/IDS.
I run weekly scans on the computers and they are running the latest ENS 10.3. I am almost certain these computers are not infected but if you can reccomend a tool or something that i can use to double check i would apprecaite that alot.