Slyguy

Level 42
Verified
Starting earlier today, Kaspersky Free on a few (but not all ) machines started triggering a high threat level IPS event.

False positive? Either way this level of triggering of security can cause me some issues. Strange that it is not triggering on all machines, just a few. Perhaps some aren't updated yet or something.

Inbound to WAN1 from 37.48.82.67. Machine OUTBOUND to dnl-16.geo.kaspersky.com

It seems to have subsided a bit. But I am concerned because Fortinet IPS is not known to issue false positives for Medium/High/Extreme events. Any false positive prone events are under 'Info' category which most people leave off.

 

woodrowbone

Level 9
I am disappointed in K Free, slows down the not to powerful computers to much.
In my humble tests K Free performs on pair with the syrup from Microsoft, Windows Defender.

/W
 

Slyguy

Level 42
Verified
The issue appears to have been a bad update from Kaspersky.

Computers at my home that were online during that day for a short period of time got served this update. Which caused the IPS triggers on Fortinet to go nuts. Any computer later in the day turned on didn't have this issue. Because Fortinet was blocking it my resolution was either to disable Fortinet IPS policies, or uninstall/reinstall Kaspersky Free. I elected the later, which fixed the issue.

Woodrow, I haven't noticed any speed issues or slowdowns with KAF UNLESS you turn heuristics higher than recommended. Otherwise it seems very lightweight.
 
  • Like
Reactions: Fritz

woodrowbone

Level 9
Lightweight, that is what I was looking for among the free AV:s.
As I run Comodo firewall with Cruelsisters settings, I just need a light AV picking up the scraps, and noting comes close to Panda in that regard.

Sorry for the slight derail of the thread :)

/W
 
  • Like
Reactions: Mr.Wave

Slyguy

Level 42
Verified
All Good.. I also like Panda.

We think someone attempted a targeted attack on my network/endpoints during all of this. After my review, and consulting with other engineers, it appears a purposeful hijacked update was sent to Kaspersky on my network. If this was widespread it would have been huge and publicized, it appears limited to my network. The only fix for this was to completely wipe Kaspersky Free from the impacted machines and reinstall it. Not being able to 'update' something is a classic symptom of tailored access operations because a lot of things can be broken, especially updates.

Also during this period I was alerted to localized attempts to infiltrate my wireless infrastructure. My RogueAP suppression unit registered hundreds of attempts to spoof SSID's and MACs. My RAP Suppression unit detects these type of events and executes a localized DDOS attack on any SSID/MAC/Device attempting it..

Corresponding with this we noted external attempts to probe WAN1 which culminated in a DDOS attack on my WAN1 (ingress). 60,000 or so attacks were registered. Also there were external attempts to send manipulated packets to my network.

Screenshots of the action below.
 

Attachments

Slyguy

Level 42
Verified
I've traced one of the DDOS sources to Stresserforums.net.. Does anyone have any experience with those guys?

Googlefu says;
StresserForums.net (link in bio) Buy and sell legit DDoS/Booter/Stresser services in our marketplace. #DDoS #Stresser #Booter #DDoSAttack #HackForums...

Looks like a blackmarket website for script kiddies and tools.. They've seemed to take a liking to my Tivo. Unfortunately Tivo is a difficult device to secure because of it's unix shell. So what I have done is block Tivo from accessing the internet except during a small 3 hour window during it's usual update process nightly. Any other time, no WAN access. That seems to have fixed their infatuation with my Tivos. ;)
 
Last edited:
  • Like
Reactions: Sunshine-boy

woodrowbone

Level 9
Hey Slyguy, (off topic again ;) ) you seem to have the perfect test environment at your home.
How would you feel about setting up a computer with Comodo firewall (Cruelsisters settings, (link bellow) outside of your Fortigate system?

The setting part starts around 6 min, but the whole vid is worth looking at.

Just as an experiment, to see if it can handle all that strange traffic you seem to have.
It would also be a good real world test of that setup, if you have the time and interest of course.
I think a lot of us members here at MT would be interested to see the results, as many of us trust CFW with those settings.
Maybe start a thread about it?

If you would consider this, please use that computer as normal, or better yet set your most click-happy family members behind the keyboard and see if they can infect it :)

/W
 

Slyguy

Level 42
Verified
Better yet, I could throw this system on DMZ and let her roll.

I have some tools that create automated browsing/searching/clicking on a system I would put on it as well. I had the tool made to spoof network activity in the home to add a ton of useless 'chaff' to our internet activity. But it would easily be repurposed in such a fashion to test protection. I may try this over the holiday weekend.

My network is pretty obviously a target, so it does make it fun to test stuff. I've hardened my network a bit more since this attack. I've started to become vague about disclosing my network/security protocols and details. Just as a precaution.
 
Last edited:
  • Like
Reactions: woodrowbone