Endpoint Protection

 View Only

  • 1.  Endpoint block domain controller

    Posted Oct 23, 2015 06:38 AM

    Hello everyone!

    We recently installed Symantec Endpoint Protection on one of PCs.

    After installation, SEP started to block traffic from my domain controller and file server, as it's showed on screenshot. The tip says:

    "Client will block traffic from IP 192.168.0.2 for next 600 seconds.
    Attack of port scanning type has been detected."

    Symantec 2.jpg

    After this message, PC is unable to use file share placed on this server.

    All other PCs, which have other antivirus software, don't show this message and successfully connect to the server. I also haven't found any viruses on the domain controller.

    What I have tried:
    I added IP 192.168.0.2 as allowed host in Firewall, but it didn't help.
    I also tried to deselect the tick "Detect port scanning" on tab "Intrusion Prevention" of Network AV parameters, but it didn't help.

    Please say us how to allow IP 192.168.0.2 and get rid of the traffic block?



  • 2.  RE: Endpoint block domain controller
    Best Answer

    Posted Oct 23, 2015 06:42 AM

    See here to fix immediately:

    How to stop a Symantec Endpoint Protection Intrusion Prevention System Active Response from blocking an attacker's IP address after it is triggered

    Add the host as an excluded host in the IPS policy.

    Have you seen this article?

    Handling Port Scan Detections in Symantec Endpoint Protection 12.1



  • 3.  RE: Endpoint block domain controller

    Trusted Advisor
    Posted Oct 23, 2015 08:15 AM

    Hello,

    Check this Article:

    What triggers a port scan detection in Symantec Endpoint Protection (SEP)

    http://www.symantec.com/docs/TECH165237

    This could be caused when the traffic will go through subsequent ports in a fairly rapid succession on the host's network adaptor. Due to the nature of the Intrusion Protection System (IPS) detection, which is hard coded within the product, this will trigger a port scan detection. Symantec development has reviewed this issue and determined that the product is working as designed. Modifying port scan detections to allow this type of behavior would potentially impact the ability of the product to detect a malicious port scan attack.

    Try this workaround to stop detections:

    1. Create exceptions within IPS to exclude relevant hosts in your environment. (Recommended)

    2. Using NAT networking for VMs, rather than bridged networking.

    3. Use a server OS such as Windows 2003 or Windows 2008 as the host OS for virtual machines.

    4. Uninstall NTP and IPS from the SEP client on the host machine.

    Hope that helps!!



  • 4.  RE: Endpoint block domain controller

    Posted Oct 23, 2015 08:54 AM

    Thank you ᗺrian and Mithun Sanghavi! I will try the solutions this day or Monday and confirm how it solved our problem.



  • 5.  RE: Endpoint block domain controller

    Posted Oct 23, 2015 09:06 AM

    Sounds good, check back if you need anything. Thanks.



  • 6.  RE: Endpoint block domain controller

    Posted Oct 27, 2015 04:41 AM

    I added the IP in Firewall of this unmanaged client and it stopped send messages about port scanning, thanks, rian!



  • 7.  RE: Endpoint block domain controller

    Posted Oct 27, 2015 06:36 AM

    You're welcome :)