Endpoint Protection

I have been unable to connect to the Internet after getting two new router and this could be due to too sensitive of Endpoint Protection.
Endpoint Protection blocked the ip of the gateway (router) thus my T60 was not able to get on the Internet.
Tthe same issue has been found in two recent routers I bought. Asus RT-N12 and Buffalo WHR-G300N.
I also connected the T60 with either iPhone or another old router, WYR-G54, no issue and no block of gateway ip.

The log is as below.

Somebody is scanning your computer.
Your computer's TCP ports:
21, 80, 8000, 8080 and 3389 have been scanned from 192.168.1.1.

Traffic from IP address 192.168.1.1 is blocked from 2010/5/31 PM11:57:31 to 2010/6/1 AM12:02:31.

Please check the below article for the above issue

Title: 'How to add an exception for Intrusion Prevention Policy to allow a specific ID through Symantec Endpoint Protection Manager'
Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009110213020648?Open&seg=ent

If it is a Unmanaged clients then
Open SEP-GUI
Network Threat Potection -Options- Change Settings - Intrusion Prevention -( Uncheck ) Enable Port scan detection .

or
Open SEP-GUI
Network Threat Potection -Options -Configure Firewall Rules
Add rule Allow all -Under Network add IP address from 192.18.0.1 to 192.168.255.254 (al routers IP address are within this )

The Endpoint Protection  is installed by the company that I am not able to configure the setting or policy.
Is there any way I can temp with the routers?

<<<<<<<<<<<<The Endpoint Protection is installed by the company that I am not able to configure the setting or policy.>>>>>>>>> Can you tell us what is the exact problem you are facing when you try to configure?

I can't click on the button, it says "your administrator has locked this featuer".

Ten you have to do these changes in SEPM only since it is locked from SEPM.Do as per the link in first post and see any difference is present....

Before adding exceptions, did anyone confirm that this traffic is legitimate?

Those ports are for well known services like ftp, http, and rdp.
Are you sure this is isn't just your router letting Internet traffic through?

Then how come my old router won't scan my ports?
Even If it is not legitimate, then Endpoint just block the router ip and the whole internet access??

open policies
select intrusion prevention policy
under exclude host; put your router ip 192.168.1.1
check if that works.

Well, what we found when looking into a different SEP RU5 bug, was that only some people, not all, lost their Internet connection whenever the router was blocked.
It is not intuitive, but the reason turned out to be simple:  most home routers these days act as a DNS proxy. That is, when you get an IP-address from your router, it tells you to use <router-IP> as DNS server.  And if you can't get DNS, then you can't really get Internet....

The old router could have a different firewall setup that blocks these inbound connections.

If this is legitimate traffic, then what SEP is blocking should be legitimate *return traffic* to your computer, that is: reply packets from something you are connecting to.
You can verify this by checking next time:  did you use RDP to your router (or anything else) at the time port 3389 was blocked? If not, the packets came from someone else.

The weird thing in all of this is that it is using your routers address as source. That implies that whatever traffic you are seeing is NAT'ed on the way in to you.

"If this is legitimate traffic, then what SEP is blocking should be legitimate *return traffic* to your computer, that is: reply packets from something you are connecting to.
You can verify this by checking next time:  did you use RDP to your router (or anything else) at the time port 3389 was blocked? If not, the packets came from someone else."

This is beyond my knowledge already. Don't know how to reply packets and trace them. RDP is? how to know it is prot 3389?

Thanks.

I check with Buffalo support that they admitted that this is a designed behavior for the router to check the availability of standard ports.
The same designed behaviors can be found within other modern routers and chips. (like Asus RT-N12)

Isn't Endpoint Protection too sensitive to recent routers?

What is SEP's version?

It sounds like NTP's active scan is reacting to the router's behaviour.  An admin will need to add your router's IP (as above) to the exclusion list.

sandra

Hi CK,

Please read this forum thread: https://www-secure.symantec.com/connect/forums/endpoint-1106-false-denial-service-attacks-dns-servers

If that matches exactly what you are seeing, then improvements in a future release of SEP will correct the issue.

Thanks and best regards,

Mick

What would the router need that information for?
Did they say why it does this?

It sounds to me like SEP is defending against very dubious behaviour. Your router is the one that's not behaving normally, even if other routers exist that might do the same thing.

One possible reason I can think of is if it has something to do with autoconfiguring port forwarding, UPnP or firewall rules.
If you have UPnP configured on the router, I recommend you turn it off immediately. For that matter, if there's any "dynamic configuration" of security in the router, I'd stop it right away.
Having a router that can automatically open connections to your machines from the Internet, without you knowing it, is probably the last thing you want.

So, before making an exception in SEP, I'd make sure I had configured the router properly.
 

I got my reply from Buffalo now, here's what they said:

"I'm afraid that would be incorrect, the router does not perform Port Scans, it has no reason to do this, the only function to do with ports on the router is Port Forwarding in order for a user to open specific ports for certain services".


Is there any port forwarding going on on your router?

OK, here is what I got.

My SEP is 11.0.4202.75.
I reset the Buffalo WHR-HP-G300N and just setup the PPPOE and disable UPnP. (by my PC of course). Also check there is no port forwarding set.
As soon as I connect my T60 to the router, the SEP blocks the router IP, 192.168.11.1, Log below.

Somebody is scanning your computer.
Your computer's TCP ports:
21, 80, 8000, 8080 and 3389 have been scanned from 192.168.11.1.
Traffic from IP address 192.168.11.1 is blocked from 2010/6/2 PM 07:29:25 to 2010/6/2 PM 07:34:25.

I wait 5min and still can’t get access to the internet. Then I refresh the log, the router ip is blocked again, log below.

Somebody is scanning your computer.
Your computer's TCP ports:
21, 80, 8000, 8080 and 3389 have been scanned from 192.168.11.1.
Traffic from IP address 192.168.11.1 is blocked from 2010/6/2 PM 07:34:37 to 2010/6/2 PM 07:39:37.

Of course I wait for another 5min but the ip is again blocked for 5min. Then I will never be able to get on line.
I then connect back to my old router, WYR-G54, same default setting, UPnP is ON as default, only configure PPPOE to my ISP.
My T60 soon gets DHCP assigned and connects to the internet. No more log shown in the security log. I noticed the default setting of The Intrusion Detector in my old router is OFF. Not sure if this matters.
I unplug the LAN and manual the DNS to my ISP at 168.95.1.1, and plug back to new router.
Then again, the router scan my T60 and SEP blocks the router ip for 5min and on and on.

1. Please note that I have another router Asus RT-N12 which has exact the same issue. Two routers are from major home router brands and based on different hardware chips.
2. My company admin won’t allow individual to configure the setting thus there is no way I can make my router exceptional.
3. My company admin won’t change the policy for me.
4. I connect to another ISP at another house and the issue is exact the same. I believe you can easily reproduce the issue.

My point is that both routers are very popular home models and from their service centers there is no similar complains. My PC, with avast, works fine with both routers. Isn’t SEP too sensitive to such router behavior?
Let me know what info you need to get the issue fix.

..very weird...    Without seeing the actual network traffic, I have no more useful suggestions... 

I really feel like running out and getting one of those routers to test, now  :)

Well, to be fair, this is not a 'home' product, but an 'enterprise' product.  That said, if you're using a company laptop from an alternate location, your admins should establish location awareness to give you more freedom to configure when connecting to an ISP outside of the intranet, or set exclusions for you.  It really sounds like SEP is doing what it's supposed to do.

sandra

How can I get the traffic? Ethereal?

I'd recommend Microsofts Network Monitor, actually. At least if you want to run on the attacked computer.
I've seen Wireshark (Ethereal) disagreeing with SEP some times.
However, any capture requires admin access to the machine. 

On the Buffalo router, try un-checking the "Enable" box for "List Network Services" under the "Admin Config" tab. I have the WZR-HP-G300NH and found it was scanning the LAN IPs for network services (open ports).

You are saying that if you turn that off, the scanning stops? 
Or was it just a theory/suggestion?

If it's true, it is very interesting!

It was a suggestion. I was not having a problem with SEP on my network. I turned off the Buffalo's List Network Services feature on 6/11 and have not seen any further ports scans from the Buffalo router IP in the log as of 6/14.

I don't understand how this could sound like SEP is doing what it's supposed to do. It's falsely picking up a router for port scans, it couldn't be more simple.

Saying that security should be loosened while out of the office is also poor advice, this is when the clients are most at risk, the security should be tightened if anything. Saying exclusions should be used is not always the best option when you are working with thousands of clients.

Jon,

if yesterdays post from EricW is correct, then SEP is quite correctly picking up the router for port scanning. It's not false.
This port scanning seems to be normal behaviour for some, newer home routers. Most likely this an attempt at lowering configuration complexity for the user, by letting the router gather network information by itself. This is useful for easing firewall config etc, but unfortunately it is not normal router behaviour, and it is indistinguishable from malicious scanning.

Enterprise tools for network mapping often use other techniques to identify network equipment, not pure port scanning, but even they usually need some exceptions to the firewall ruleset to allow inbound connections to a client.

I agree that lowering security while out of office is a bad idea, though.  One cannot make such singular exceptions to an enterprise setup.

Thanks, EricWW
That means that Buffalo support gave correct info to one of us, but totally wrong info to me. The existence of that function explains everything, I guess.

It seems, though that someone-who-shall-remain-nameless at Buffalo support blatantly lied to me (or was incompetent) when he said he had checked, and found that there was no such function in the router.

But your tip seems to be the correct solution to this:  turn that function off.

And I'm not buying Buffalo equipment anytime soon.

Thanks, EricWW
That means that Buffalo support gave correct info to one, but totally wrong info to me. The existence of that function explains everything, I guess.

It seems, though that someone-who-shall-remain-nameless at Buffalo support blatantly lied to me (or was incompetent) when he said he had checked, and found that there was no such function in the router.

But your tip seems to be the correct solution to this:  turn that function off.

And I'm not buying Buffalo equipment anytime soon.

Thanks for the hint but not many entry-level home routers have that options.
Does this imply that this is not a threat at all?
If most entry-level home routers scan the ports by default to make people’s life easier, shouldn’t SEP adapt this?
To me it does should like SEP falsely detects the threat.

Most home routers do not do this, it is not normal. (At least not yet, maybe some day it will be, and then we can ask SEP to handle it.)

Anyway, if SEP (or any other security software) is going to do so, it must
- first of all be aware of that this exact router is really your home network gateway,
- and it must be able to trust it and it's configuration

This actually requires a change in standards, best practices, network technology and security technology to achieve. Knowing the IP-address is not enough.

Also, remember that SEP is not really on there to protect you. It is on there to protect your corporate network (and the rest of the computers on it).
SEP is configured to see the world from your companys perspective.
In the company network, they can make exceptions for unusual behaviour, because they are in control of that behaviour and all the equipment.
In your home network, the company is not in control.  So, when your home router does something unusual/non-standard, that is not something your company and their SEP should worry about.

 

i'm having the same problem!   i received endpoint though the school i attend.  it constantly blocks common websites like google and site related to my school.  

PLEASE fix your product, you as a company offered it to my school so that students could use it, and it has been nothing but a pain in the ass to put it bluntly.  

i should not have to take a course on computer programming to have a nice product that functions on my computer.  

i have vista operating system, and a friend of mine has windows xp and has the same problem.  

please fix!

Upgrade to the latest version, RU6 MP1 as it is fixed in this version.

Release Notes from MP1 show this issue is fixed.

An unexpected UDP flood attack is reported after upgrading to RU6.
Fix ID: 2038207
Symptom: An unexpected UDP flood attack is reported after upgrading to RU6 and blocks what appears to be a legitimate internal DNS server.
Solution: SEP client was updated to verify that the DNS response packet comes from a valid DNS server.

 

http://www.symantec.com/business/support/index?page=content&id=TECH103087&locale=en_US

 

SEP detecting Router DDOS -

https://www-secure.symantec.com/connect/forums/sep-detecting-router-ddos

I follow the KB article, but where can I locate the specific ID mentioned in step 7: "7. Search and select ID blocked."

The ID is not listed in the logs or in the popup message, nor can I locate it on any of the EPP Admin reports.

Can you provide a screenshot of the pop-up that you are getting?

Error Popup is attached.

The IP address shown is to a Panasonic printer. Software installed on this workstation needs to communicate with the .241 address to provide printing statistics.

It appears all that needs to be done is to create and exception, but there is no ID listed in the error or the logs and there is nothing in the exception list that appears to properly relate to this message.

Jim

The document linked above indicates the ID (or SID) would be in the error:

Symantec Endpoint Protection
Traffic from IP address x.x.x.x is blocked from [date][time] to [date][time]
[SID: #####]

Yours just says "Denial of Service". This likely means it's being blocked by denial of service detection, not by signature. (Intrusion Prevention Policy > Settings > Enable denial of service detection)

Why not just include the IP as an excluded host? (Intrusion Prevention Policy > Settings > Enable excluded hosts, then add in your printer's IP)

sandra

Excellent suggestion. I knew there had to be a simpler way.

Resolved my issue.

Excellent... too bad can't get the 'resolved' tick from you...

sandra

Thank you!

sandra