AnsweredAssumed Answered

SEP Detections during VM scan

Question asked by Rick Brown on Aug 7, 2018

I have one Windows server in my environment on which my Qualys VM scans trigger SEP Intrusion Prevention detections.  In both cases the remote IP that SEP sees is the loopback address (127.0.0.1), so whitelisting my scanner has no affect.  This server does run IIS, and I checked to see if it is doing any URL Rewrites and it is not.  Has anyone else seen this, or have ideas as to what else I should be looking for?  The two detections I get are:

  

Protocol

 

Direction

Remote host Remote IP address

Event Description

TCP Inbound

Not applicable 127.0.0.1

[SID: 29972] Attack: Apache Struts CVE-2017-5638 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\INETSRV\W3WP.EXE

TCP Outbound

Not applicable 127.0.0.1

[SID: 30104] Web Attack: Malicious OGNL Expression Upload attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\INETSRV\W3WP.EX

Outcomes