cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
humph
Level 9
Report Inappropriate Content
Message 1 of 8

Receiving Intrusion alerts from ENS 10.3 FW without explanation [Help!]

Hi All,

I am running ENS 10.3 on a Windows 7 computer and often times i get intrusion alerts from the firewall but i am unable to decipher what it means. I cant find where in ENS or ePO I should go to check the Event ID (35001) so i can find out what it means.

When i used to use Mcafee HIPS you could always check what the intrusions alerts mean from within ePO is there a feature like this in ENS 10.3 ??

 

Can anyone explain what this intrusion alert means:

CHROME.EXE tried to access 199.59.242.150, violating the rule GTI Rule - TCP - Out and was Blocked.

7 Replies

Re: Receiving Intrusion alerts from ENS 10.3 FW without explanation [Help!]

Did you check the event on your ePO under the threat-events tab of the system?

You´ll normally find a bunch of information there.

Best regards
Dan
humph
Level 9
Report Inappropriate Content
Message 3 of 8

Re: Receiving Intrusion alerts from ENS 10.3 FW without explanation [Help!]

YES! When i go to Threat Events Log in ePO i see detailed info there about the processes that triggered the intrusion violation but i do not see any explanation about the intrusion to say that for example: Chrome.exe process is trying to contact a bot C&C Server with suspious IP x.x.x.x and was blocked by Mcafee GTI.

Thanks for the reply, Hope you understand what i mean.

McAfee Employee cookand
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: Receiving Intrusion alerts from ENS 10.3 FW without explanation [Help!]

Hello,

My assumption is that in policy you have "treat McAfee GTI match as intrusion" selected. With the intrustion alert this is simply saying that the chrome process attempted to access xxx.xxx.xxx.xxx via TCP outbound and was blocked. The ENSFW is very strict on rule enforcement, if it isn't explicitly cited in the rule/rules to allow said traffic it will block it outright. The question I would ask you is what is the ip that that machine was trying to hit? Is that a suspect IP, is that something a user should be attempting to access in your environment? Let me know at your earliest convenience. 

Thanks,

-Andrew

humph
Level 9
Report Inappropriate Content
Message 5 of 8

Re: Receiving Intrusion alerts from ENS 10.3 FW without explanation [Help!]

I already did some checks on the IP (199.59.242.150) and it belonged to an ISP name Bodis LLC. The IP is linked to malware, ransomware and abuse, I am not sure if legitimate websites are hosted under that same IP and my computers are trying to reach the good sites on that IP block. I get like 3 alerts a day from only my Chrome users trying to access that IP and it gets block by Mcafee firewall and also my Perimeter firewall with IPS/IDS.

I run weekly scans on the computers and they are running the latest ENS 10.3. I am almost certain these computers are not infected but if you can reccomend a tool or something that i can use to double check i would apprecaite that alot.

Thanks.

Re: Receiving Intrusion alerts from ENS 10.3 FW without explanation [Help!]

I'm am also getting these hits where Chrome is trying to access 199.59.242.150 from many Chrome users but not all Chrome users and for those who are getting hit it is not every time they use Chrome but only sometimes.  I think it maybe an add on which does not always get used but that is only a wild guess.

Threat Source Process Name: CHROME.EXE
Threat Source URL:
Threat Target Host Name:
Threat Target IPv4 Address: 199.59.242.150
Threat Target IP Address: 199.59.242.150
Threat Target Port Number: 443
Threat Target Network Protocol: TCP
Threat Target Process Name:
Threat Target File Path:
Event Category: Intrusion detected
Event ID: 35001
Threat Severity: Critical
Threat Name: GTI Rule - TCP - Out
Threat Type: Intrusion detected
Action Taken: Blocked
Threat Handled: True
Analyzer Detection Method: Firewall

Any idea why Chrome is trying to access 199.59.242.150 would be appriciated.  I also find it concerning.

I just found out that this is happening when people have left for the day but have left Chrome open.

humph
Level 9
Report Inappropriate Content
Message 7 of 8

Re: Receiving Intrusion alerts from ENS 10.3 FW without explanation [Help!]

  I just found out that this is happening when people have left for the day but have left Chrome opeN

Nice observation.

I get alerts when my users are at work. I'm not sure if they leave their desktop unattened for extened periods (hours) with Chrome open maybe that can trigger the alert as well,  not sure if the same case or your case is different but i will keep an eye on those user to see if the alerts match with there time away

Thanks

Re: Receiving Intrusion alerts from ENS 10.3 FW without explanation [Help!]

Well this just happened to one user:

FIREFOX.EXE tried to access 199.59.242.150, violating the rule GTI Rule - TCP - Out and was Blocked.

This is suggesting some process called for a browser but it doesn't have to be Chrome.