They don't need to be infected if malicious actors want to try to attack them. For example, was there any other suspicious traffic sent from the same source.Ģ) Devices, that are connected to the network, are most often available for malicious vulnerability scanning and external attack attempts. I would start from looking at all the logs related to these hosts around the times of those DoS alerts (could start with 5 minutes and reduce if the number of log entries is unmanageable) to possibly get some context of the events. But the logs are all you need, you don't need to disturb the machines' work. If you suspect this, investigate the traffic and get the firewall rules tweaked accordingly.Īnswering your comment here since the comment space seems too small.ġ) Every environment is different and I, or anyone else, can't tell how exactly should your situation be investigated.
There is also a possibility that this was a false positive and the traffic was genuine and not DoS-inducing. Have you applied the critical security update MS17-012? ( )ĭo you even need SMB? If not, disable this service (close the port 445).
Kaspersky rescue disk update offline windows#
In other words, if the systems you use are vulnerable to CVE 2017-0016 ("Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service on a vulnerable system." - ), the traffic that was dropped could have caused them to crash and that's why it was dropped. The most possible reason this traffic was dropped is that the requests, purposefully or not, were crafted in a way that they could cause a denial-of-service state on your host. Kaspersky Rescue Disk is a tool against malware, not against remote external attacks and in the majority of the cases it would not help here.
0 kommentar(er)
