Endpoint Protection 12.1 block my proxy

Created: 17 Oct 2012 | 6 comments

tommy1402

I connect to internet from proxy. Then I visited a site. From that site I got web attack with this norton notification Exploit Toolkit Website 4 attack..

BUT

Instead blocking that site, I got this log The client will block traffic from IP address <my proxy IP address> for the next 600 seconds

What's going on here?

I spent 1-2 hours figuring out why my internet suddenly disconnected and that's the culprit.

If I add my proxy IP to Exception settings, then all sites I visit will also be ignored...

Any solutions??

Discussion Filed Under:

Security, Endpoint Protection Small Business Edition 12.x - 12.1, Endpoint Protection Small Business Edition 12.x, Configuring, Troubleshooting

Comments RSS Feed

Comments 6 Comments • Jump to latest comment

Ashish-Sharma

Endpoint Protection 12.1 block my proxy - Comment:17 Oct 2012 : Link

check the NTP logs, there could have been attack hence the traffic from that machine is blocked for 10 minutes.

If you feel the traffic should be allowed, go to the Firewall policy ---> Protection and stealth settings--> uncheck 'Automatically block an attacker's IP address'

In the SEPM you can crate a firewall rule to block an attacker address or you can increase the default time limit 10 minutes.

By default attacker IP address is blocked for 10 minutes. You can maximize this time through policies. Set it to maximum.

I don't see any concern to create exception for single IP address becauase attackers are smart enough they will start with new IP address.

Machine is receiving an attack means there must be some loophole in the system.

Patch the system with all the system updates. Use all the SEP features i.e AV/AS, PTP & NTP with latest definitions.

Check this article:

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

Check this Link for all the Updates which needs to be installed.

http://www.securityfocus.com/bid/31874/solution

you can check this forums.

https://www-secure.symantec.com/connect/forums/constant-traffic-ip-address-xxxxxxxx-blocked-message-popping-out-1

https://www-secure.symantec.com/connect/forums/constant-traffic-ip-address-xxxxxxxx-blocked-message-popping-out

http://www.symantec.com/connect/forums/block-ip-0

Thanks In Advance

Ashish Sharma

SEPM Knowledgebase Documents

pete_4u2002 Symantec Employee

Endpoint Protection 12.1 block my proxy - Comment:17 Oct 2012 : Link

firstly the attack is becuase of this

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4324

this is the IPS signature

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25701

apply all the application patches for Adobe

Cheers!
Pete

Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619

tommy1402

Endpoint Protection 12.1 block my proxy - Comment:17 Oct 2012 : Link

Sorry but, I don't understand at all.

The main problem is: I connect to internet from my Proxy IP.

Now the proxy is blocked by norton because I visit malicious website.

Instead blocking the malicious website automatically, norton blocked my Proxy IP...

tommy1402

Endpoint Protection 12.1 block my proxy - Comment:17 Oct 2012 : Link

I don't install anything yet. Fresh new windows with forefox, chrome and norton

Brian81 Trusted Advisor

Endpoint Protection 12.1 block my proxy - Comment:17 Oct 2012 : Link

Since your proxy is the source IP, this is expected behaviour. SEP is not proxy aware. To stop this, in SEPM go to your Firewall policy and go to the Protection and Stealth tab and uncheck this option: