Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Endpoint Protection blocking internet connection.

Created: 28 Dec 2012 • Updated: 07 Jan 2013 | 7 comments
This issue has been solved. See solution.

I have a user that gets blocked from the internet periodically due to a setting within Endpoint Protection.  The warning he gets is similar to: 

Traffic from IP address 192.168.1.1 is blocked from 11:53pm to 12.03am.
Denial of Service is logged.

Has anyone heard of this before, or have any insite as the where the problem may lie?  I checked the Endpoint Protection logs, but I was unable to find any blatent issues.  The user states that it generally happens with malformed URL's, but I am unable to reproduce it at our helpdesk.

Comments 7 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Please Try this:

Step 1) Check the Security Logs under Client Management for Denial of Service Detections for the IP address to confirm the issue. 

To resolve the issue you will need to disable Denial of Service detection within your Instrusion Prevention policy or you will need to add the IP address in "Excluded Hosts."

To add the IP to "Excluded Hosts":

1.  Open your Intrusion Prevention Policy.

2.  Choose to Settings on the left. 

3.  Check the box for Enable excluded hosts and then click the Excluded Hosts... button.  

4.  Add the IP address of your printer and choose Okay.

REFERENCE:

Denial of service detected on Network Printers

http://www.symantec.com/business/support/index?pag...

OR

Also, try the following:

STEP 2) To create an exception for Intrusion Prevention Policy to allow a specific ID:

1. Open Symantec Endpoint Protection Manager console .
2. Select 'Policies' tab.
3. Under 'View Policies', select 'Intrusion Prevention'.
4. Select Intrusion Prevention policy, and under 'Tasks' select 'Edit the Policy'.
5. Select 'Exceptions' tab.
6. Click on 'Add...' button.
7. Search and select ID blocked.
8. Click on 'Next>>' button.
9. Change 'Action', from 'Block' to 'Allow'. Click on 'OK' button.
10. Check if the exception edited has been added to 'Intrusion Prevention Exceptions' list.
11. Click on 'OK' button for save changes in the Intrusion Prevention policy.

OR

STEP 3 ) Disable DoS detection:

  1.  Log-in to the Symantec Endpoint Protection Manager (SEPM)
  2. Click Policies then click Intrusion Prevention
  3. Edit the intrusion prevention policy that applies to the client in question
  4. Click Settings
  5. Remove the check-mark next to Enable denial of service detection

Once the policy is applied to the client the DoS detections (and associated Active Response if configured) should no longer occur.

Please note, this will completely disable DoS detection on the client. There is not currently a way to add an exclusion for DoS detection.

OR

STEP 4) Enabling Smart traffic filtering

http://www.symantec.com/business/support/index?pag...

OR

STEP 5) TRY uninstalling the Network Threat Protection and Application and Device Control by:

Going to Control Panel> from Add/Remove Programs > Highlight Symantec Endpoint Protection and Click on Modify.

Disable the Network Threat Protection and Application and Device Control

I am sure the first step would help you . However the other steps are just for incase.

Hope that might help you.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
.Brian's picture

What version of SEP are you running?

There is a configurbale option in SEPM to block an attackers IP address for X amount of time, which is what is happening here.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Do you know what is behind 192.168.1.1? PC, proxy, printer, etc...?

Are you looking as to why it's happening? Or how to stop the IP from being blocked for 10 minutes?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Kruug's picture

I do not, as this is at the user's home.  It also happens on hotel wifi's when he goes out on the road (which he is a lot).  I am assuming it's the gateway, but I really don't care, I'm just looking to stop the blocks.

.Brian's picture

And I assume this is a managed version?

Basically you would need to change the policy in the SEPM and export and send to him to import it.

Or you could tell him how to disable NTP until he comes back in office and you can make the changes than.

This setting is in the Firewall policy on the Protection and Stealth tab, uncheck "Automatically block an attacker's IP address"

The other thing you could do but you'd have to walk him thru it is to have him export his policy.xml to his desktop and open it up in notepad and search for the line "Attacker Seal" and set Enable = "0"

Than import the file back in. This should get him fixed until he is back in office.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Kruug's picture

The user did stop into the office.  I did from above:

STEP 3 ) Disable DoS detection:

  1.  Log-in to the Symantec Endpoint Protection Manager (SEPM)
  2. Click Policies then click Intrusion Prevention
  3. Edit the intrusion prevention policy that applies to the client in question
  4. Click Settings
  5. Remove the check-mark next to Enable denial of service detection

Once the policy is applied to the client the DoS detections (and associated Active Response if configured) should no longer occur.

Please note, this will completely disable DoS detection on the client. There is not currently a way to add an exclusion for DoS detection.

If he doesn't have any more issues, I will mark this as closed.