VOX

Quate CMS has nothing to do with EV

http://www.juniper.net/security/auto/vulnerabilities/vuln30570.html

Don't know how you have ended up with this app running on your EV servers but removing it would seem to be the obvious solution

thank you Guys,

Follwoing Gabev - the PID is belong to query-service.exe description: Velocity Search Service. this is running under EV service account.

In fact there are a few services running: Collection-broker.exe, collection-service-dispatch.exe

search these services I have found this Not sure how to uninstall this:

http://www.symantec.com/business/support/index?page=content&id=TECH172165

since it's part of EV. May be I have installed some kind of troubleshooting tool but somehow I do not have these services in prod environment.

Follwoing Ed - I do not find Quate CMS is a PHP-based content manager installed anywhere in that server.

You can't uninstall these services sice they are part of the EV 10 indexing processes. I am wondering if this security tool is seeing that this port is open on the EV server and the tool is **thinking** that the application running should be 'Quate CMS'. If that's the case then you need to confirm with the team that ran this tool if this is the case or not.

I hope this helps.

thank you GabeV,

I am not following you with your last comment - sorry.

The thing is that I do not have these services running in the EV production server.

I think I misunderstood your previous comment. You mentioned that the PID belongs to query-service.exe but then you mentioned that you do not have these services in production environment. Which services were you referring to?

In my little research on internet for this port indicates that in past a this port was used by a known malware. Refer link: http://www.auditmypc.com/tcp-port-7215.asp, then it’s expected that security software will generate alerts when they see this port open.   

And Enterprise vault indexing engine query search port also use 7215, so might be your security tools considering it as Vulnerability issue.

I would suggest to change this port via VAC (open VAC \ Expand servers \ select EV SERVER \Properties \ advanced \ indexing - indexing engine query search port) like screenshot.

Regards

EV-C

Good catch, but I would NOT recommend changing this setting as described in the help file:

Thanks Gabe for point this out correctly, Yes please contact Tech support to get best advice before you make port changes. As far as I know Velocity webservice only allow VSA to access this port from localhost (127.0.0.1).

thank you Guys,

Gabe - what I was trying to explain is that I have EV installed in two separate environments (forests) ie production and test.

I am only seeing these services running in the test environment NOT in production. So in the live environment  I am not seeing query-service.exe with port 7215, Collection-broker.exe and collection-service-dispatch.exe

So if EV is using these services then who come I end up EV in production with out them and we do not have indexing issue right now but after two month EV migration we did have major indexing issue for the journaling.

Honestly, we are not sure why this happening only in your test environment, As Gabe suggested, input from support would be good option.  

EVRocks,

If I look at my 10.0.4 lab, I can see these processes running:

If you are running EV 10 on both domains, something is not right because we changed the index engine starting with EV 10.0 base. The only thing I can think of is that you are running EV 9.x in your production environment. If that's the case, then that could explain this situation. Otherwise, go ahead and open a ticket with support so we could review your environment.

I hope this helps.

Guys,

below is the response from Symantec support team. I think our security team will suggest to change the port number.

I have researched and found some points regarding the port:-

1.    By default, EV uses port 7215.

2.    However, little research on internet for this port also indicates that in past a this port was used by a known malware. Refer link: http://www.auditmypc.com/tcp-port-7215.asp .  With this, it’s expected that security software will generate alerts when they see this port open.  

3.    But now that we know EV has opened that port, and not the malware as such, in such case the you should ignore this warning (as it’s a false alert).

 4.    Fortunately, EV allows you to change the default port number used in this case.   

The port can be changed from Vault admin console:-

 Open VAC--> Expand to the Indexing EV  server--> Right click on the server and select properties-->select Advanced Tab " Change the "IndexingEngineQueryServicePort" = (any new port number Make sure its not inuse by other software).

Once Done Verify if it is updated using the following SQL query on EnterpriseDirectory Database:- select settingName, settingDescription, settingValueNumeric from view_ExtendedSetting where settingName = 'IndexingEngineQueryServicePort'

Thanks for update. You may wish to mark the comment as solution which ever best suite your answer.

If iti s a false positive and has been identified as such... should that not satisify the security team? This has been confirmed to be a process that is running as part of EV and suspected that the security scanning software is seeking open ports as the trigger for a security concern. IF this is still a valid concern despite appearing to be a false positive... wouldnt changing the ports just shuffle the issue to somewhere the utility doenst find it?

At the point where it is confirmed to be a false positive... I may go to the secuity scanning software and confirm this is what they are looking at and then ask them to enhance their product.

Any security concerns should be logged into a case as dev are the only people who can really address them IMO.

If and when your query is satisified... please dont forget to flag the poster who helped you work it out.

Thanks in advanced.