Endpoint Protection

 View Only
  • 1.  Blocked macintosh traffic

    Posted Oct 22, 2009 04:22 PM
    Symantec Enpoint Protection has started blocking traffic from our group of macintosh computers.

    These are the errors I am getting:

    Traffic from IP address XXX.XXX.XXX.X is blocked from * to *.  (This is a 10 minute block of time)

    [SID: 21802]  SMB Server Transaction Name BO detected.


    The macintosh computers are trying to connect to a mac share on a windows 2003 server by smb://<server name>.

    Any suggestions on how to start solving this issue?

    All other traffic, email and internet traffic works until a user tries to connect to the shared folder(s).  Then it is blocked for the 10 minutes.

    Thanks!




  • 2.  RE: Blocked macintosh traffic

    Posted Oct 22, 2009 04:30 PM
    This is a known false positive.

    See thread - https://www-secure.symantec.com/connect/forums/mac-os-1058-october-22nd-updates-blocking-smb-traffic#comment-3144431

    Please open a case with Symantec ASAP so that we can get to the root of this false positive.

    Best,
    Thomas




  • 3.  RE: Blocked macintosh traffic

    Posted Oct 22, 2009 04:48 PM
    I cannot connect with my mac.  I am getting
    SID:21802 SMB Server Transaction Name BO Connected

    But not getting a timed block


  • 4.  RE: Blocked macintosh traffic

    Posted Oct 22, 2009 04:54 PM
    @ twocats, Please open a case with support ASAP. We need to gather more data on this issue.

    Thanks,
    Thomas


  • 5.  RE: Blocked macintosh traffic

    Posted Oct 22, 2009 05:01 PM
    I am on hold right now.. listening to Blue Suede shoes


  • 6.  RE: Blocked macintosh traffic
    Best Answer

    Posted Oct 22, 2009 05:11 PM
    When talking with support please make sure the case abstract states False Positive [SID: 21802]  SMB Server Transaction Name BO detected.


  • 7.  RE: Blocked macintosh traffic

    Posted Oct 23, 2009 12:27 AM

    I am having this alert for one of my windows xp sp3 pc, instead of mac which everyone here is facing...

    It is not causing any share problem for this machine. So should i roll back the IPS or create an exception for this traffic?

    Ian



  • 8.  RE: Blocked macintosh traffic

    Posted Oct 23, 2009 10:34 AM
    getting this error using SEP11 using HP 4250 print device. if we remove those drivers from our pc, no errors. any ideas? other windows print servers are working fine with same printers and drivers.

    Thanks


  • 9.  RE: Blocked macintosh traffic

    Posted Oct 23, 2009 11:04 AM
    Symantec is working to fix this, no ETA is available yet. In the meantime please disable the signature.

    For more info follow this discussion - https://www-secure.symantec.com/connect/forums/mac-os-1058-october-22nd-updates-blocking-smb-traffic

    Best,
    Thomas