Jamf Nation Community

Yes, we've seen the same message as well. See what happens if you SSH to a client machine and fat-finger your password too many times...heh.

Out of interest, is this doing a remote recon with SSH enabled on the target Mac and the correct username and password entered?

It should just show up as a valid SSH connection attempt so I'm wondering if there is some kind of bug with SEP.

If you were doing a network scan where you can enter a collection of "possible" ssh usernames and passwords, I would expect that to be flagged up by SEP as a possible security issue as it is a kind of mild brute force attack.

For us it's just one user at the moment, and we're trying to gather more data. According to the tech article I listed above, it sounds like a bug.

It happens when I run Recon locally (Local Enrollment). I haven't tested all permutations, but I know it happens when I have Recon create the user account. Recon is successful, but Symantec isn't happy about it.

FWIW, we have SEP12 on almost 800 Macs. Some are an older build, some 12.1.5.xxx. I got one report like this so far, so I don't think it's SEP necessarily misbehaving. I was able to get that error (or something close) by logging into my remote Mac on a client site and then trying to SSH in using the wrong password 3x.
So, my guess is that maybe someone indeed tried to remote into the Mac (support person or it's user).

If I start getting lots of those emails then I might have to talk to the SEP guys. Almost every time we've had something like that which was a legitimate use being flagged (during UAT), they've made tweaks to the SEP settings/policies which seemed to help. Then we're good until a new version comes out and we start over again.

Symantec released a fix yesterday, SEP 12.1.6, that is supposed to fix the issue. We have to wait to try to release this, so if you have the chance to test it please update the thread? Thanks!