Hi,
I am seeing events logged by Network Threat Protection that contain no Signature Name or ID. I would really like to know what exploit is being used to trigger NTP. Is there some other way I can find this information?
Here is a sample from the SEPM logs.
Client Affected Computer Name
Current: SERVER03
When event occurred: SERVER03
IP Address
Current: xxx.xxx.200.10
When event occurred: 0.0.0.0
Local MAC: ABCDEF2313A
User Name: CtxSAM
Operating system: Windows Server 2008 R2 Standard Edition
Location Name: N/A
Domain Name: Default
Group Name: My Company\Default Group
Server Name: SEP716
Site Name: ALL_SERVERS
Risk DetectedEvent Time: 04/30/2015 01:54:10
Begin Time: 04/30/2015 01:53:09
End Time: 04/30/2015 01:53:09
Occurrence: 3
Signature Name: N/A
Signature ID: 0
Signature Sub ID: 0
Intrusion URL: N/A
Intrusion Payload URL: N/A
Event Description: Auto-Block Event
Event Type: Intrusion Prevention
Hack Type: 0
Severity: Major
Application Name: Symantec Endpoint Protection
Network Protocol: Unknown
Traffic Direction: Inbound
Remote IP: XXX.XXX.163.91
Remote MAC: 000000000000
Remote Host Name: N/A
Alert: 1
Local Port: 0
Remote Port: 0
Any help would be appreciated.
