Endpoint Protection Small Business Edition

I connect to internet from proxy. Then I visited a site. From that site I got web attack with this norton notification Exploit Toolkit Website 4 attack..

BUT

Instead blocking that site, I got this log The client will block traffic from IP address <my proxy IP address> for the next 600 seconds

What's going on here?

I spent 1-2 hours figuring out why my internet suddenly disconnected and that's the culprit.

If I add my proxy IP to Exception settings, then all sites I visit will also be ignored...

Any solutions??

check the NTP logs, there could have been attack hence the traffic from that machine is blocked for 10 minutes.

If you feel the traffic should be allowed, go to the Firewall policy ---> Protection and stealth settings--> uncheck 'Automatically block an attacker's IP address'

In the SEPM you can crate a firewall rule to block an attacker address or you can increase the default time limit 10 minutes.

By default attacker IP address is blocked for 10 minutes. You can maximize this time through policies. Set it to maximum.

I don't see any concern to create exception for single IP address becauase attackers are smart enough they will start with new IP address.

Machine is receiving an attack means there must be some loophole in the system.

Patch the system with all the system updates. Use all the SEP features i.e AV/AS, PTP & NTP with latest definitions.

Check this article:

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

Check this Link for all the Updates which needs to be installed.

http://www.securityfocus.com/bid/31874/solution

you can check this forums.

 https://www-secure.symantec.com/connect/forums/constant-traffic-ip-address-xxxxxxxx-blocked-message-popping-out-1

https://www-secure.symantec.com/connect/forums/constant-traffic-ip-address-xxxxxxxx-blocked-message-popping-out

http://www.symantec.com/connect/forums/block-ip-0

firstly the attack is becuase of this

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4324

this is the IPS signature

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25701

apply all the application patches for Adobe

Sorry but, I don't understand at all.

The main problem is: I connect to internet from my Proxy IP.

Now the proxy is blocked by norton because I visit malicious website.

Instead blocking the malicious website automatically, norton blocked my Proxy IP...

I don't install anything yet. Fresh new windows with forefox, chrome and norton

Since your proxy is the source IP, this is expected behaviour. SEP is not proxy aware. To stop this, in SEPM go to your Firewall policy and go to the Protection and Stealth tab and uncheck this option:

your statement says you use Norton, if thats the case pleas epost in Notron forum , however i would still ask you to update the adobe patches