GFI EndPointSecurity agent communication is detected as a DoS attack

Versions / Builds Affected

All versions

Status

Resolved

Problem Summary

Certain Intrusion Detection software can classify the agent communication of GFI EndPointSecurity with the agents as a Denial of Service attack.

TT / JIRAID

N/A

How to Identify

Intrusion Detection software scanning the communication between agents and the main console of EndPointSecurity will classify it as 'Generic SYN flood attack'. 'A SYN flood is a type of DOS attack where someone creates many half-open connections. This can create a situation where you can't accept legitimate connections because there are too many bogus connection attempts.' In this case the Intrusion Detection system is detecting our communication between agents and main application as a DoS attack because the communication is just one way, there is nothing sent from main to agents. This is called a half-open connection and is considered a problem when a server is flooded with data from an unknown client, but in our case both sides are known, so it shouldn't be considered a problem.

Workaround / Fix Details

The customer should be instructed to configure the Intrusion Detection system to ignore this threat on the port on which ESEC communicates (1116 by default).

Required Actions

Explain the reasons to the client. close the case and attach article.