Bruteforce.Generic.MSSQL.b

[Omarinho]

Hello, We are hosting an unsupported system called Care Free (http://www.carefreegroup.com/) for a customer that we provide IT support and Infrastructure for on one of our Windows 2016 Servers running SQL 2017 and KES 11.0.6499 pf5101 As of yesterday only Database release date: 04/09/2019 06:39:00 We've been receiving an alert from the NTP component on this server alerting us of a Bruteforce.Generic.MSSQL.b. on port 1433 of the server from clients running the Care Free software. This issue can be recreated when the client accesses a specific location within the application. The NTP block is causing a complete loss of connectivity to the SQL database intermittently making the application unusable. Obviously with the nature of the attack being a brute force I've had the affected system users change their password to a much more complex one (it is a local SQL account) I've been in touch with the vendor to identify what the precise workflow within the application is actually doing. However, is there any chance we could maybe identify whether the new database release might be a false positive? Event type: Network attack detected Application\Name: Kaspersky Endpoint Security for Windows User: F4\xxxxxxxxxx (Active user) Component: Network Threat Protection Result\Description: Blocked Result\Name: Bruteforce.Generic.MSSQL.b Object: TCP from 172.xx.xx.xx to 172.x.x.x:1433 Object\Type: Network packet Object\Name: TCP from 172.x.x.x to 172.x.x.x:1433 Object\Additional: 172.x.x.x Database release date: 04/09/2019 12:08:00

[Nikolay Arinchev]

Hi, To check is it false positive or not please create a request to https://companyaccount.kaspersky.com/ Thank you!

[Antonio]

Same here... Local database with lot of Navision users... since this Tuesday Tipo de evento: Ataque de red detectado Aplicación\Nombre: Kaspersky Endpoint Security para Windows Usuario: NT AUTHORITY\SYSTEM (Usuario del sistema) Componente: Protección frente a amenazas en la red Resultado\Descripción: Bloqueado Resultado\Nombre: Bruteforce.Generic.MSSQL.b Objeto: TCP de varios orígenes diferentes Objeto\Tipo: Paquete de red Objeto\Nombre: TCP de varios orígenes diferentes Objeto\Avanzado: Sospechoso: Fecha de las bases: 05/09/2019 1:37:00

[Ivan Ponomarev]

Hello! Please provide the incident number after you create it so we could provide you with necessary instructions for solving the issue. Thanks!

[Omarinho]

Hi, INC000010760939.

[Ivan Ponomarev]

Many thanks for the reply! Please wait for the information in the incident. Thanks!

[Gugarts]

We are having the same problem with using ASP Classic application via WEB. Anything we can do? Event Type: Network Attack Detected Application \ Name: Kaspersky Endpoint Security for Windows User: Component: Network Threat Protection Result \ Description: Locked Result \ Name: Bruteforce.Generic.MSSQL.b Object: TCP from 1 ##. ###. #. # To 1 ##. ###. #. #: 1433 Object \ Type: Network Packet

[Ivan Ponomarev]

Hello! Do you have an incident created already? Thanks!

[Gugarts]

Hello! Do you have an incident created already? Thanks!

No. Thanks

[Ivan Ponomarev]

Hello! Please create an incident at companyaccount.kaspersky.com so we can provide with the further help Thanks!

[Gugarts]

Hello! Please create an incident at companyaccount.kaspersky.com so we can provide with the further help Thanks!

Hi, INC000010765779

[Nikolay Arinchev]

Hi, Thank you for that info! Please await for the nswer within INC000010765779

[SistemasOfar]

We are having the same isue from thurstady. We open the ticket in company account and are waiting for answers. INC000010768390 Regards.

[Qubit]

Same here, since wednesday 04.09.2019. We are waiting for answers. INC000010766766

[Dmitry Parshutin]

Hello! Please await for the answer in the incident. Thank you!

[elehrairah23]

Присоединяюсь к участникам обсуждения. На Company Account создано обращение INC000010774376

[BarisGumus]

Hello, Have you found a solution on this issue? If the solution has been found, what actions should we take. thanks.

[Vimaro]

Hello, Have you found a solution on this issue? If the solution has been found, what actions should we take. thanks.

Dear user, Thanks for your message. Please submit a case in our Company Account service and provide here Incident number given by our system. Then, please wait for our specialists advices directly in your submitted case in Company Account.

[Evgeniy Puchkov]

Я не понял, служба поддержки будет работать по этой проблеме или нет? Обращение создано 06,09,2019.

INC000010763638

Никто ничего не предпринимает. I did not understand if the support service will work on this problem or not? Title created on 06.09.2012. INC000010763638 No one is doing anything.

[BarisGumus]

Hello, Have you found a solution on this issue? If the solution has been found, what actions should we take. thanks.

Dear user, Thanks for your message. Please submit a case in our Company Account service and provide here Incident number given by our system. Then, please wait for our specialists advices directly in your submitted case in Company Account.

Hello there, Since last week, I have been receiving Bruteforce.Generic.MSSQL.b attacks from my users. I did not get results even though I did antivirus updates. I am requesting your solutions as soon as possible. Thanks. INC000010780075

[Marcos]

I have same problem here in my network. I guess this a false positive, clients trying to connect to sql server and that connection is blocked by kaspersky thinking this is an atack. i had open a ticket too NC000010779364

[Igor Kurzin]

Hello, this is a false detection, resolution is on the way, and will be published next week. Sorry about the incoveniences caused.

[Marcos]

This updates i think should be more tested before been released. that cause me a big headache.

[CCPE]

it's solved this problem?? i have my kaspersky disabled on my sql server waiting for the resolution..

[Marcos]

it's solved this problem?? i have my kaspersky disabled on my sql server waiting for the resolution..

You can just disable Network Threat Protection, this works for me. This way you are more protected than full KES disable.