Jump to content
Kaspersky Support Forum

Intrusion.Win.CVE-2020-1350.b [MOVED]

dmkasp

By dmkasp
in Kaspersky Endpoint Security for Business

 Share

Recommended Posts

dmkasp

dmkasp

Posted
  • Author
Posted

Hi everyone,

We have just installed the new Kaspersky for Windows Server 11.0.0.480 on our DNS domain controllers, and activated the “Network Threat Protection”.  We have started to receive some messages on the Kaspersky console about “Intrusion.Win.CVE-2020-1350.b”, some workstations seems to do DNS attacks.  We have scanned some of theses workstation with Kaspersky but no detected menaces on the workstations.  I’ve started to believe there is “false positive”.  Is anybody knowes some information about this kind of detection? If these are real menaces, is there a malware installed on theses workstations? 

 

MilanBortel

MilanBortel

Posted
Posted

Hi @dmkasp,
it happened to me also. This intrusion has been detected on devices with both KSWS and KES installed. What is funny - it was detected on Windows 10 devices, that obviously doesn’t have any DNS role installed and thus cannot become victims for that attack.. It can only affect Windows Server host with DNS role installed, is that your case?

From my communication with support I took it as false positive. I guess it detects some of our network monitoring tools sending the attacking packets..

Cheers,
Milan

dmkasp

dmkasp

Posted
  • Author
Posted

Hi, we have Kaspersky on only our servers, so we doesn’t have detection from workstation.

I find the “Network Threat Protection” feature interesting, and now we receive this “false” DNS detection just for our DNS servers, but we don’t want to disable the feature ….

GLFI69

GLFI69

Posted
Posted

it happened to me also.

kaspersky support demanded to send trace data in the exact attack moment but it is so rare...

than i give up.

 

dmkasp

dmkasp

Posted
  • Author
Posted

and if we want the protection continues for other types of attacks, we can’t avoid the 1350b detections from Kaspersky…  

 

is anyone have a trick for ignoring these false detections?

MilanBortel

MilanBortel

Posted
Posted

Hi @dmkasp,

from what I know, you can only set that “attacker” as an exception in Network Threat Protection component:

Network Threat Protection 

But then the server would not be protected from any possible attack coming from that excluded device 😒

 

Cheers,
Milan

  • 2 weeks later...
José Pulido

José Pulido

Posted
Posted

We have the same situation, but, the dns service restart too,  without  reason.  I think that is not a false  positive 

  • 2 weeks later...
dmkasp

dmkasp

Posted
  • Author
Posted

The problem seems to have gone, I have installed the latest windows server patches on our domain controlers and since, no 1350 entries … or perhaps a Kaspersky update ?

Guest
This topic is now closed to further replies.
 Share
Go to topic listing


×
×
  • Create New...