Endpoint Protection

 View Only

  • 1.  Block ip

    Posted Feb 27, 2012 11:20 PM
      |   view attached

    Hi All,

     

    Kindly check the attachment of error message

    Attachment(s)

    docx
    block.docx   842 KB 1 version


  • 2.  RE: Block ip

    Broadcom Employee
    Posted Feb 27, 2012 11:38 PM

    check the NTP logs, there could have been attack hence the traffic from that machine is blocked for 10 minutes.

    If you feel the traffic should be allowed, go to the Firewall policy ---> Protection and stealth settings--> uncheck 'Automatically block an attacker's IP address'



  • 3.  RE: Block ip

    Posted Feb 28, 2012 07:43 AM

    Thumbs up to Pete's suggestion. Follow the steps given by him which should give you appropriate results.



  • 4.  RE: Block ip

    Posted Feb 29, 2012 12:07 AM

    Please Add the Following IP in Intrusion Prevention System's Exception policy.



  • 5.  RE: Block ip

    Posted Feb 29, 2012 01:57 AM

    Details : http://www.symantec.com/business/support/index?page=content&id=TECH103087

    for error: According to Symantec .

    Domain controller or router is detected by Symantec Endpoint Protection as MAC spoofing
    Fix ID: 2049673
    Symptom: The first time a computer running Symantec Endpoint Protection is connected to a wired network, Symantec Endpoint Protection detects the domain controller or router as MAC spoofing. The following messages may appear in the Symantec Endpoint Protection log: "Active Response Major: Traffic from IP address <address> is blocked from <start time> to <end time>." or "Active Response Disengaged: Active Response that started at <start time> is disengaged.
    Error: "The traffic from IP address <address> was blocked for 600 second(s)."
    Solution: The MAC spoofing detection will only alert after the second ARP response is detected.

    ADD an Exception..............if required

    For managed clients:

    Logon to SEPM

    Click Policies

    Click Intrusion Prevention under view policies

    Edit the Intrusion Prevention Policy applicable at the right

    Click Exceptions

    Click Add

    Check for : [SID:23179]

    Highlight the related signature when found

    Click Next

    Under "ACTION" click "ALLOW"

    Under "LOG" click "DO NOT LOG"

    Click OK

     

     For unmanaged clients the option to allow or modify the IPS rule does not seem to there so :

     

    Go to Add or Remove Programs.
    Click Symantec Endpoint Protection, then click Change.
    Click Next, ensure Modify is selected, then click Next again.
    Click Network Threat Protection, then click This feature will not be available.
    Click Next, then click Install.

    When the installation completes reboot the system. Network Threat Protection and so will Intrusion Prevention System will now be inactive.

     

    If you want to disable the notification on your system tray..

    1. Go to Clients, then the client group you want to remove this ability from.
    2. Click the Policies tab on the right, then expand 'Location-specific Settings'.
    3. Click on 'Server Control', then Customize.
    4. In the Intrusion Prevention Notifications Uncheck the "Display Intrusion Prevention notifications."



  • 6.  RE: Block ip

    Posted Apr 03, 2012 04:31 AM

    Hi,

    In the SEPM you can crate a firewall rule to block an attacker address or you can increase the default time limit 10 minutes.

    By default attacker IP address is blocked for 10 minutes. You can maximize this time through policies. Set it to maximum.

    I don't see any concern to create exception for single IP address becauase attackers are smart enough they will start with new IP address.

    Machine is receiving an attack means there must be some loophole in the system.

    Patch the system with all the system updates. Use all the SEP features i.e AV/AS, PTP & NTP with latest definitions.

    Check this article:

    http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

    Check this Link for all the Updates which needs to be installed.

    http://www.securityfocus.com/bid/31874/solution

     

    you can check this forums.

     https://www-secure.symantec.com/connect/forums/constant-traffic-ip-address-xxxxxxxx-blocked-message-popping-out-1

    https://www-secure.symantec.com/connect/forums/constant-traffic-ip-address-xxxxxxxx-blocked-message-popping-out

     



  • 7.  RE: Block ip

    Posted May 14, 2012 03:39 AM

    Hi Team ,

    Plaese check the attached file and give solution for this why this pop is shown again and again.



  • 8.  RE: Block ip

    Posted May 14, 2012 03:42 AM

    Hi Team,

    I have collect also log from symantec tool  so i share this one also .



  • 9.  RE: Block ip

    Broadcom Employee
    Posted May 14, 2012 04:01 AM

    Anil kondalkar, you need to apply the patch http://technet.microsoft.com/en-us/security/bulletin/ms08-067 on 10.2.130.249. This attack may be used for w32. downadup.