Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 3029 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any one get IPS alert "MALWARE-OTHER Windows Management Instrumentation manipulation attempt" ?

BobG

We have been getting these email alerts to our network team from our main Sophos UTM since Tuesday morning. 

 

=============================================================

Message........: MALWARE-OTHER Windows Management Instrumentation manipulation attempt

Details........: https://www.snort.org/search?query=49570

Packet dropped.: yes

Classification.: A Network Trojan was Detected IP protocol....: 6 (TCP)

Source IP address: <SophosEndpointProtection-IP> Source port: 80 (http) Destination IP address: <Sophos-UTM-IP>  Destination port: 64218

--

HA Status          : HA MASTER (node id: 2)

System Uptime      : 0 days 0 hours 18 minutes

System Load        : 4.05

System Version     : Sophos UTM 9.604-2

==========================================================

 

(2) The IPS log shows following summary

@12:18:34 action="drop" reason="MALWARE-OTHER Windows Management Instrumentation manipulation attempt" srcip="23.32.80.135" srcport="80" sid="49570" class="A Network Trojan was Detected"

@12:19:04 action="drop" reason="MALWARE-OTHER Windows Management Instrumentation manipulation attempt" srcip="23.76.197.134" srcport="80" sid="49570" class="A Network Trojan was Detected"

@12:19:35 action="drop" reason="MALWARE-OTHER Windows Management Instrumentation manipulation attempt" srcip="184.25.98.243" srcport="80" sid="49570" class="A Network Trojan was Detected"

 

(3) Since it is outbound on port 80, our 'WebProtection' shows this following sample summary...

12:19:04 method="GET" dstip="23.76.197.134" statuscode="200" cached="0" url="d1.sophosupd.com/.../1ab6fc7acbfce20ac8782ae88318a252x000.dat"

12:19:34 method="GET" dstip="23.32.80.135"  statuscode="200" cached="0"  url="http://d1.sophosupd.com/update/1ab6fc7acbfce20ac8782ae88318a252x000.dat"

12:20:04 method="GET" dstip="184.25.98.243" statuscode="200" cached="1" url="http://dci.sophosupd.com/update/3/25/325420ec2b9d8646efcfea111f80f01f.dat"

 

(4) The IPS log does not shows any detailed other that the SNORT# 49570 .   Googling around found this link...

https://snort.org/rule_docs/1-49570

 

 

Any suggestions?   We are getting 30-40 email alerts every hour.

 

Thanks,

Bob Gausman



This thread was automatically locked due to age.
Parents
  • 0

    This is a somewhat shot in the dark but the source address is Akamai Technologies which is what Microsoft uses, WMI is used to gather info on the systems among other things, do you have send diagnostic data to help Microsoft?  Or are you using any Office 365 services or updating that could be pulling information?

     
Reply
  • 0

    This is a somewhat shot in the dark but the source address is Akamai Technologies which is what Microsoft uses, WMI is used to gather info on the systems among other things, do you have send diagnostic data to help Microsoft?  Or are you using any Office 365 services or updating that could be pulling information?

     
Children