Coverage for SolarWinds Sunburst Backdoor
Last Modified: 2023-12-13 10:26:17 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Coverage for SolarWinds Sunburst Backdoor
Technical Articles ID:
KB93861
Last Modified: 2023-12-13 10:26:17 Etc/GMT Environment
Endpoint Protection Platform - all versions Endpoint Security (ENS) Threat Prevention 10.x Host Intrusion Prevention (Host IPS) 8.0 Skyhigh Web Gateway (SWG) 8.x, 7.x Trellix Intrusion Prevention System (Trellix IPS) 10.x, 9.x VirusScan Enterprise (VSE) 8.8 Summary
Recent updates to this article
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
We're aware of a security advisory released by Although coverage against the attack currently exists using the technologies described below, we'll continue to monitor this threat and will update this article as needed. SolutionGateway products block all known network indicators of compromise (IOCs).
Coverage for all known binaries used in this attack is covered in the Generic detection capabilities, previously provided by The detection name for threats in this attack is At the time of publication, customers using Endpoint Protection Platform will see a Windows Defender detection for For enhanced detection coverage, Endpoint Protection Platform customers can update to the Endpoint Protection Platform 2011 Hotfix release, made available on December 16, 2020.
For customers who can't update DATs or who don't use on-access scanning or on-demand scanning, Exploit Prevention coverage can be configured using the following Expert Rules. The rule content is also available in the ENS Expert Rules
Host IPS Custom Signature: For Host IPS 8.0, coverage isn't possible due to the lack of support for using named pipe creation blocking. But, you can use a custom signature for partial coverage. False positive detections might occur, so it's recommended to regularly review any signature events. As per the ENS Expert Rule above, monitor for any activity using unsigned or non-Microsoft signed use of
Customers using Application and Change Control are advised to unsolidify SolarWinds Orion Platform software if running an affected build. If rules are created to add SolarWinds as an updater, we recommend deleting them. IPS Signature Set 10.8.16.6, released on December 15, 2020, includes coverage to detect and block the Sunburst Backdoor traffic.
NOTE: The referenced content is available only to logged in ServicePortal users. To view the content, click the link and log in when prompted. Related InformationAttachmentAffected ProductsLanguages:This article is available in the following languages: |
|