CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > SmartDefense
SmartDefense spoolss false positive? SmartDefense spoolss false positive?
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2005-11-08
Junior Member
  
Join Date: 2005-11-08
Posts: 2
Rep Power: 0
ecorreale has an average reputation (10+)
Send a message via AIM to ecorreale
Default SmartDefense spoolss false positive?
When my users use a VPN connection I start getting alarms about a CIFS Worm ID CPAI5201, //spoolss attack from the VPN client to a single print server. It's always the same print server and always from clients that have that printer installed on their systems. The common printers for each client are an HP 9000 and an HP800 series plotter. These alarms stop if I stop the spooler service on the vpn client. I have scanned the computers with Norton AntiVirus using the latest DATs, no virus or worms found.


Is this a false positive, or am I missing something?
Reply With Quote
  #2 (permalink)  
Old 2005-11-11
Member
  
Join Date: 2005-10-25
Location: North Brunswick, NJ
Posts: 38
Rep Power: 0
czech12 has an average reputation (10+)
Default Re: SmartDefense spoolss false positive?
It could very well be a false positive. If you have verified that there is no virus on the machine, I would say that's what it is...
__________________
====================
Aaron Vivo
CCSE Plus, CCMSE, NSA
====================
Reply With Quote
  #3 (permalink)  
Old 2006-03-30
Junior Member
  
Join Date: 2005-08-22
Posts: 13
Rep Power: 0
maverick has an average reputation (10+)
Default Re: SmartDefense spoolss false positive?
I have experienced the very same thing, it must be a false positive
Reply With Quote
  #4 (permalink)  
Old 2006-03-31
Senior Member
  
Join Date: 2006-01-26
Location: Moscow, Russia
Posts: 706
Rep Power: 3
kva.kva has an average reputation (10+)
Default Re: SmartDefense spoolss false positive?
From SK
"A number of "false positive" issues relating to SmartDefense rule drops have been resolved by applying the latest HFA in conjunction with the latest update SmartDefense version." Please, check this.

And from me. You can try to set monitor only options for SmartDefence->Microsoft Networks parameters (may be only for File and Print Sharing).
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 11:15.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0