Kaspersky
Question

Bruteforce.Generic.MSSQL.b

  • 4 September 2019
  • 22 replies
  • 2656 views

Hello,

We are hosting an unsupported system called Care Free (http://www.carefreegroup.com/) for a customer that we provide IT support and Infrastructure for on one of our Windows 2016 Servers running SQL 2017 and KES 11.0.6499 pf5101

As of yesterday only Database release date: 04/09/2019 06:39:00 We've been receiving an alert from the NTP component on this server alerting us of a Bruteforce.Generic.MSSQL.b. on port 1433 of the server from clients running the Care Free software.

This issue can be recreated when the client accesses a specific location within the application.

The NTP block is causing a complete loss of connectivity to the SQL database intermittently making the application unusable.

Obviously with the nature of the attack being a brute force I've had the affected system users change their password to a much more complex one (it is a local SQL account)

I've been in touch with the vendor to identify what the precise workflow within the application is actually doing. However, is there any chance we could maybe identify whether the new database release might be a false positive?

Event type: Network attack detected
Application\Name: Kaspersky Endpoint Security for Windows
User: F4\xxxxxxxxxx (Active user)
Component: Network Threat Protection
Result\Description: Blocked
Result\Name: Bruteforce.Generic.MSSQL.b
Object: TCP from 172.xx.xx.xx to 172.x.x.x:1433
Object\Type: Network packet
Object\Name: TCP from 172.x.x.x to 172.x.x.x:1433
Object\Additional: 172.x.x.x
Database release date: 04/09/2019 12:08:00

22 replies

Userlevel 4
Badge +2
Hi,

To check is it false positive or not please create a request to https://companyaccount.kaspersky.com/
Thank you!
Same here...

Local database with lot of Navision users... since this Tuesday

Tipo de evento: Ataque de red detectado
Aplicación\Nombre: Kaspersky Endpoint Security para Windows
Usuario: NT AUTHORITY\SYSTEM (Usuario del sistema)
Componente: Protección frente a amenazas en la red
Resultado\Descripción: Bloqueado
Resultado\Nombre: Bruteforce.Generic.MSSQL.b
Objeto: TCP de varios orígenes diferentes
Objeto\Tipo: Paquete de red
Objeto\Nombre: TCP de varios orígenes diferentes
Objeto\Avanzado:
Sospechoso:
Fecha de las bases: 05/09/2019 1:37:00
Badge
Hello!

Please provide the incident number after you create it so we could provide you with necessary instructions for solving the issue.

Thanks!
Hi, INC000010760939.
Badge
Many thanks for the reply!

Please wait for the information in the incident.

Thanks!
code:
We are having the same problem with using ASP Classic application via WEB.
Anything we can do?

Event Type: Network Attack Detected
Application \ Name: Kaspersky Endpoint Security for Windows
User:
Component: Network Threat Protection
Result \ Description: Locked
Result \ Name: Bruteforce.Generic.MSSQL.b
Object: TCP from 1 ##. ###. #. # To 1 ##. ###. #. #: 1433
Object \ Type: Network Packet
Badge
Hello!

Do you have an incident created already?

Thanks!
Hello!

Do you have an incident created already?

Thanks!

No.
Thanks
Badge
Hello!

Please create an incident at companyaccount.kaspersky.com so we can provide with the further help

Thanks!
Hello!

Please create an incident at companyaccount.kaspersky.com so we can provide with the further help

Thanks!

Hi,

INC000010765779
Userlevel 4
Badge +2
Hi,

Thank you for that info!
Please await for the nswer within INC000010765779
We are having the same isue from thurstady. We open the ticket in company account and are waiting for answers. INC000010768390

Regards.
Same here, since wednesday 04.09.2019. We are waiting for answers.
INC000010766766
Userlevel 2
Badge +1
Hello!
Please await for the answer in the incident.
Thank you!
Присоединяюсь к участникам обсуждения. На Company Account создано обращение INC000010774376
Hello,

Have you found a solution on this issue?

If the solution has been found, what actions should we take.

thanks.
Userlevel 1
Badge
Hello,

Have you found a solution on this issue?

If the solution has been found, what actions should we take.

thanks.


Dear user,
Thanks for your message. Please submit a case in our Company Account service and provide here Incident number given by our system.

Then, please wait for our specialists advices directly in your submitted case in Company Account.
Я не понял, служба поддержки будет работать по этой проблеме или нет?
Обращение создано 06,09,2019.

INC000010763638

Никто ничего не предпринимает.

code:
I did not understand if the support service will work on this problem or not?

Title created on 06.09.2012.
INC000010763638

No one is doing anything.


Hello,

Have you found a solution on this issue?

If the solution has been found, what actions should we take.

thanks.
Dear user,
Thanks for your message. Please submit a case in our Company Account service and provide here Incident number given by our system.

Then, please wait for our specialists advices directly in your submitted case in Company Account.



Hello there,

Since last week, I have been receiving Bruteforce.Generic.MSSQL.b attacks from my users. I did not get results even though I did antivirus updates. I am requesting your solutions as soon as possible.
Thanks.

INC000010780075
I have same problem here in my network. I guess this a false positive, clients trying to connect to sql server and that connection is blocked by kaspersky thinking this is an atack.
i had open a ticket too NC000010779364
Userlevel 5
Badge
Hello, this is a false detection, resolution is on the way, and will be published next week. Sorry about the incoveniences caused.
This updates i think should be more tested before been released. that cause me a big headache.

Reply / Ответить