IPS “Outbound Traffic Detected” alert
Author: dong_chung27 Employee Posted: 24-Sep-2015 | 11:54AM · Edited: 25-Sep-2015 | 10:53AM · 0 Comments · Translation:
Over the last couple of months we have been noticing a lot of reports connecting an Intrusion Prevention System (IPS) “Outbound Traffic Detected” alert to a recommendation to run Norton Power Eraser and so I’ve spent some time investigating the issue and have discovered a few issues. Some we have already fixed and another fix is coming shortly. I wanted to take this opportunity to share with you what I discovered and what fixes we are putting in place.
First I’d like to thank you for been patient with the repeated alert notification issue! We understand that our response is overdue and I apologize for taking so long to update you on the issue. Hopefully this note will shed some light on the issue. So here is what I have learned:
How the feature is supposed to work?
First let me start by explaining what the alert was originally designed to do. As some of you may know already, our Intrusion Prevention System (IPS) works closely with the Norton Firewall to monitor all traffic entering and leaving your computer. Its primary purpose is to detect and block malicious traffic from ever entering your machine in the first place. It’s actually very effective. Based on our telemetry it routinely blocks upwards of 50% of all attacks across our entire customer base. The remaining attacks go on to be blocked by our other detection technologies.
In exceptional circumstances a threat may slip by our defenses and infect a computer. We wanted to be able to detect this condition and do something about it. We realized that infected computers will often “phone home” to either upload your sensitive information to a remote attacker or to download new instructions on what to do next on your computer, and because our IPS watches outbound traffic too, a few years ago, we figured out a way to leverage this capability to spot the telltale signs of the outbound traffic associated with an infected computer. The “Outbound Traffic Detected” alert is our technology’s way of telling you “you are infected!” Our general recommendation to customers who believe they are infected is to run Norton Power Eraser and so that is what the IPS alert recommends.
So why do we believe there were a spike in alerts over the last two months?
We think there were two contributory issues that were related. First we believe a faulty IPS signature update caused a spike in false positive alerts, in other words an alert about a condition that wasn’t in fact true. Secondly we discovered a fault in the suppression system which meant that the condition kept recurring even if our customers told us to ignore it. Let me describe these two points in a little more detail:
1. A bad Intrusion Prevention System signature caused false positives, particularly in the month of July
In researching this I discovered a peaked in alerts during the month of July 2015. Digging in a little deeper I was able to discover that some browser related plugins were causing outbound traffic that caused some of the then recently updated IPS signatures to trigger. The signatures were released on July 9 2015. It took a week or two for the traffic level to build to the point that an investigation was triggered. Updated clean signatures were released on July 28 2015 and immediately the number of alerts dropped off.
2. “Do not show me this message again” not working as designed.
When an alert notification is presented to a customer there is typically a check box option accompanying the notification that says “Don’t show this message again for this outbound traffic”. It’s our way of allowing customers to say “Yes, I see the issue, but I don’t believe it’s something I need to worry about so please don’t tell me about it again”. When the option is checked it is supposed to tell us to ignore the condition in future. Well it turns out there was a bug in that piece of code. The net of this was that we kept popping up the alert even if you told us not to. Annoying for sure. We are very sorry about this.
The fix is scheduled to be released on our next client update scheduled for the end of Sept 2015. You won’t have to take any action since the client will automatically update to the latest release.
What to do if you are still seeing the alert (or see signs of infection).
So here is where things get a little interesting. As mentioned above, the product alert is designed to inform you about suspicious outbound traffic which may mean your machine is actually infected, and because we have already fixed the fault signature, any time you now see the alert may mean that your machine is actually infected. Because of this, we recommend that you run Norton Power Eraser to confirm if the system is clean from malware. In normal circumstances, the scan will take less than 5 min and it will provide you with the peace of mind when no threats are found. Although not common, if you happen to see signs of infection even after running Norton Power Eraser scan, consider taking following steps:
- Check out “threat removal” knowledge base articles. It has a collection of previously found solutions of how to remove various undesired symptoms.
- Consider running a full system scan using our Norton Bootable Recover Tool (NBRT). NBRT is designed to scan the entire disk drives and look for threats that typically hide in the boot sector. The scan usually takes about 1-2 hours and the tool can be downloaded from here.
- Contact our support if you have followed all the recommended steps above. If you’re a subscribed member of Norton Security, your service may be entitled for our Virus Protection Promise (VPP) which provides 100% virus removal guarantee. Click here to know more about our Virus Protection Promise.
So I think that sums up my findings. Look out for the next release of the Windows client which will address the “Don’t show me this message again” issue.
Again, I’d like to thank you for your patience with the issue. Please don’t hesitate to let me know if you discover more alerts that you think may be false.