Intrusion.Win.CVE-2020-1350.b [MOVED]

[dmkasp]

Hi everyone,

We have just installed the new Kaspersky for Windows Server 11.0.0.480 on our DNS domain controllers, and activated the “Network Threat Protection”.  We have started to receive some messages on the Kaspersky console about “Intrusion.Win.CVE-2020-1350.b”, some workstations seems to do DNS attacks.  We have scanned some of theses workstation with Kaspersky but no detected menaces on the workstations.  I’ve started to believe there is “false positive”.  Is anybody knowes some information about this kind of detection? If these are real menaces, is there a malware installed on theses workstations? 

 

[MilanBortel]

Hi @dmkasp,
it happened to me also. This intrusion has been detected on devices with both KSWS and KES installed. What is funny - it was detected on Windows 10 devices, that obviously doesn’t have any DNS role installed and thus cannot become victims for that attack.. It can only affect Windows Server host with DNS role installed, is that your case?

From my communication with support I took it as false positive. I guess it detects some of our network monitoring tools sending the attacking packets..

Cheers,
Milan

[dmkasp]

Hi, we have Kaspersky on only our servers, so we doesn’t have detection from workstation.

I find the “Network Threat Protection” feature interesting, and now we receive this “false” DNS detection just for our DNS servers, but we don’t want to disable the feature ….

[GLFI69]

it happened to me also.

kaspersky support demanded to send trace data in the exact attack moment but it is so rare...

than i give up.

 

[dmkasp]

and if we want the protection continues for other types of attacks, we can’t avoid the 1350b detections from Kaspersky…  

 

is anyone have a trick for ignoring these false detections?

[MilanBortel]

Hi @dmkasp,

from what I know, you can only set that “attacker” as an exception in Network Threat Protection component:

Network Threat Protection 

But then the server would not be protected from any possible attack coming from that excluded device 😒

 

Cheers,
Milan

[José Pulido]

We have the same situation, but, the dns service restart too,  without  reason.  I think that is not a false  positive 

[dmkasp]

The problem seems to have gone, I have installed the latest windows server patches on our domain controlers and since, no 1350 entries … or perhaps a Kaspersky update ?