This issue needs a solution.

Constant "Traffic from IP address XXXXXXXX is blocked" message popping out (+1)

Created: 08 Jun 2011
Astier's picture
Login to vote
0 0 Votes

Hello,

We're using SEP 11.6005.562 on our 2 PC. They share Internet access.

SEP is well LiveUpdated

As described in a january thread, with same object, we loose all internet access after a pop up saying "The incoming traffic from IP 86.69... is blocked from time to time+10 minutes. The service deny is logged"

The external IP is always the same.

Not only incoming traffic from this IP is blocked, but whole Internet access (web, pop etc.) for the 2 PC

We scanned the PC with SEP, AntiMalwareBytes etc. with no problem detected.

Is it possible to block the IP adress without loosing internet access for 10 minutes ?

Is it possible to prevently block this IP adress so no warning will pop up ?

 

Thanks for any help,

 

Jean-Jacques

 

Filed Under

Comments

Chetan Savade's picture
Chetan Savade
Technical Support
Accredited
08
Jun
2011

Hi, In the SEPM you can crate

Edited

Hi,

In the SEPM you can crate a firewall rule to block an attacker address or you can increase the default time limit 10 minutes.

By default attacker IP address is blocked for 10 minutes. You can maximize this time through policies. Set it to maximum.

I don't see any concern to create exception for single IP address becauase attackers are smart enough they will start with new IP address.

Machine is receiving an attack means there must be some loophole in the system.

Patch the system with all the system updates. Use all the SEP features i.e AV/AS, PTP & NTP with latest definitions.

Check this article:

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

Check this Link for all the Updates which needs to be installed.

http://www.securityfocus.com/bid/31874/solution

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mithun Sanghavi's picture
Mithun Sanghavi
Symantec Employee
Accredited
08
Jun
2011

IPS is blocking network traffic.

Hello,

Intrusion Prevention Signature is automatically blocking an attacker’s IP address. It blocks network traffic from the attacker for a configurable duration (default 10 minutes)

To create an exception for Intrusion Prevention Policy to allow a specific ID:

1. Open Symantec Endpoint Protection Manager console .
2. Select 'Policies' tab.
3. Under 'View Policies', select 'Intrusion Prevention'.
4. Select Intrusion Prevention policy, and under 'Tasks' select 'Edit the Policy'.
5. Select 'Exceptions' tab. 
6. Click on 'Add...' button.
7. Search and select ID blocked.
8. Click on 'Next>>' button.
9. Change 'Action', from 'Block' to 'Allow'. Click on 'OK' button.
10. Check if the exception edited has been added to 'Intrusion Prevention Exceptions' list.
11. Click on 'OK' button for save changes in the Intrusion Prevention policy.

 

I would also Request you to Upgrade the SEP from 11.0.6005 to 11.06300.

If you are unable to update to RU6 MP3 at this time, the following workaround can be applied:

1. On the SEPM, edit the existing firewall policy
2. Choose Traffic and Stealth Settings
3. Remove the check mark from "Enable Anti-MAC spoofing"

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.