Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Endpoint Protection 12.1 block my proxy

Created: 17 Oct 2012 | 6 comments

I connect to internet from proxy. Then I visited a site. From that site I got web attack with this norton notification Exploit Toolkit Website 4 attack..

BUT

Instead blocking that site, I got this log The client will block traffic from IP address <my proxy IP address> for the next 600 seconds

What's going on here?

I spent 1-2 hours figuring out why my internet suddenly disconnected and that's the culprit.

If I add my proxy IP to Exception settings, then all sites I visit will also be ignored...

 

Any solutions??

 

Comments 6 CommentsJump to latest comment

Ashish-Sharma's picture

check the NTP logs, there could have been attack hence the traffic from that machine is blocked for 10 minutes.

If you feel the traffic should be allowed, go to the Firewall policy ---> Protection and stealth settings--> uncheck 'Automatically block an attacker's IP address'

 

In the SEPM you can crate a firewall rule to block an attacker address or you can increase the default time limit 10 minutes.

By default attacker IP address is blocked for 10 minutes. You can maximize this time through policies. Set it to maximum.

I don't see any concern to create exception for single IP address becauase attackers are smart enough they will start with new IP address.

Machine is receiving an attack means there must be some loophole in the system.

Patch the system with all the system updates. Use all the SEP features i.e AV/AS, PTP & NTP with latest definitions.

Check this article:

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

Check this Link for all the Updates which needs to be installed.

http://www.securityfocus.com/bid/31874/solution

 

you can check this forums.

 https://www-secure.symantec.com/connect/forums/constant-traffic-ip-address-xxxxxxxx-blocked-message-popping-out-1

https://www-secure.symantec.com/connect/forums/constant-traffic-ip-address-xxxxxxxx-blocked-message-popping-out

http://www.symantec.com/connect/forums/block-ip-0

Thanks In Advance

Ashish Sharma

 

 

tommy1402's picture

Sorry but, I don't understand at all.

The main problem is: I connect to internet from my Proxy IP.

Now the proxy is blocked by norton because I visit malicious website.

Instead blocking the malicious website automatically, norton blocked my Proxy IP...

tommy1402's picture

I don't install anything yet. Fresh new windows with forefox, chrome and norton

.Brian's picture

Since your proxy is the source IP, this is expected behaviour. SEP is not proxy aware. To stop this, in SEPM go to your Firewall policy and go to the Protection and Stealth tab and uncheck this option:

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

your statement says you use Norton, if thats the case pleas epost in Notron forum , however i would still ask you to update the adobe patches