Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
I am looking into the bufferoverflow events in CSA and need your assistance in this one.Here is the event:The application 'C:\Program Files\Internet Explorer\iexplore.exe' (***) tried to call the function VirtualProtectEx("<self>") from a buffer (the...
CSA did not prevent a machine from sending SMTP traffic to thousands of internal machines despite the fact that the user terminated the action.Does "concurrent query limit exceeded" means that CSA was overwhelmed and just could not handle the volume?...
Does Skype make IRC connections?We are detecting this all the time from multiple ports:"Potential worm propagation: The process 'C:\Program Files\Skype\Phone\Skype.exe' (as user ) has read downloaded content (file C:\Program Files\Skype\Phone\Skype.e...
We have an in-house vulnerability scanner that regularly does port scans and we don't want to see events when the source IP is from the vulnerability scanner. We tried a network access rule but it dose not work. 1) Network Shim is enabled 2) Network ...
We have an in-house vulnerability scanner that regularly does port scans and we don't want to see events when the source IP is from the vulnerability scanner.We tried a network access rule but it dose not work.1) Network Shim is enabled2) Network sh...
Thanks Tom, great explanition.Yes, that would be a better message.In the logs, the default action for every time was "terminate." However, we still saw heavy tcp/25 traffic from that host through internal network IDS and networkflow.My guess is that ...
No, we are using a MS SQL server. Based on the CSA MC architecture and the number of hosts, we are in a good shape.The global event correlation rule is enabled. I might need to lower the threshold.I am looking for the needed file access control rule ...
Tom,Do external hosts who VPN to your network talk straight to the MC in DMZ or they tunnel through the firewall to the intranet then access the MC?Another question, can we have multiple polling MCs? One internal and in the DMZ?Thanks
