Endpoint Protection

 View Only

  • 1.  Endpoint Protection 12.1.2015.2015 "port scan" false positive

    Posted Jan 21, 2013 02:50 PM

    Running Endpoint Protection 12.1.2015.2015 on Windows 7, and have had the usual tweaks that others have reported that needed to be addressed such as the "traffic from application svchost.exe" fix with IPv6, and that has since gone away for me as well with using the recommendation of turning IPv6 off since it's not being used. However, I've recently run into a snag with this machine since it runs VMware Workstation on it as well to run one of my test asterisk voip virtual machines. When I place calls out from my physical Cisco 7965 IP Phone, on every other call (usually happens with back to back calls) I get:


    (screenshot taken at a different occurrance of this, but this is what displays every time)

    The 64.x.x based IP is that of my SIP trunk provider, which is not a threat.

     

    Line item from Traffic Log after the event:

    1/21/2013 2:31:04 PM    Blocked    10    Incoming    UDP    64.x.x.x    [MAC redacted]   19320    10.0.0.248    [MAC redacted]    11434        drew Default    4    1/21/2013 2:31:06 PM    1/21/2013 2:31:06 PM    Block_all    

     

    Any ideas to filter this without compromising security?
     



  • 2.  RE: Endpoint Protection 12.1.2015.2015 "port scan" false positive

    Posted Jan 21, 2013 03:05 PM

    can you create a exclusion to 64.x?

     



  • 3.  RE: Endpoint Protection 12.1.2015.2015 "port scan" false positive

    Posted Jan 21, 2013 03:07 PM

    You can create a firewall rule to allow all traffic to/from the 64.x.x.x address. Makre sure to move it to the top.



  • 4.  RE: Endpoint Protection 12.1.2015.2015 "port scan" false positive

    Posted Jan 21, 2013 03:13 PM

    In the "firewall" as in Change Settings > Exceptions > Add > Security Risk Exception > Web Domain? That's the only place where I can find to put in an IP address from within Endpoint.



  • 5.  RE: Endpoint Protection 12.1.2015.2015 "port scan" false positive

    Posted Jan 21, 2013 03:15 PM

    try this document

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55167#v38528395



  • 6.  RE: Endpoint Protection 12.1.2015.2015 "port scan" false positive

    Posted Jan 21, 2013 03:18 PM
      |   view attached

    Open up the SEP GUI and next to Network Threat Protection click Options and select Configure Firewall Rules

    Firewall Policies on Unmanaged Clients

    Article:TECH105725  |  Created: 2008-01-26  |  Updated: 2009-01-17  |  Article URL http://www.symantec.com/docs/TECH105725

     



  • 7.  RE: Endpoint Protection 12.1.2015.2015 "port scan" false positive

    Posted Jan 21, 2013 03:25 PM

    Gotcha. I think that did the trick. I'll do some further testing and see if it comes up again. Wasn't sure if it was the SIP traffic that was making it throw a port scan alert or not.



  • 8.  RE: Endpoint Protection 12.1.2015.2015 "port scan" false positive

    Posted Jan 21, 2013 03:29 PM

    If you check your traffic log, you should see the traffic being allowed from the 64.x.x.x IP address. If so, you should be good to go.



  • 9.  RE: Endpoint Protection 12.1.2015.2015 "port scan" false positive

    Posted Apr 06, 2013 08:58 PM

    Having this issue again, but in a related fashion for an external SIP softphone attempting to register to a VMware server that has the 10.0.0.248 IP on my network, connected to Windows host node 10.0.0.100. With Endpoint Protection on, when my iPhone attempts to register from the AT&T cellular network, it doesn't work. When looking at the Network Threat Protection log, I get the following blocks:

    symantec_issue.PNG

    This shouldn't be happening considering I have a rule that says let everything to 10.0.0.248 just pass, no blocking:

    symantec_rule.png

     

    I'm at a loss here. This doesn't make any sense.