Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Endpoint Protection Firewall - svchost contacting MS's servers

Created: 12 Dec 2012 • Updated: 12 Dec 2012 | 14 comments
This issue has been solved. See solution.

Apologies if this is in the wrong place.

I just upgraded Oracle's VirtualBox and its user extensions.

Since, I've been getting pop-ups from Symantec telling me that it is blocking svchost.exe. Looking at the logs, it appears to be blocking contact to a couple of Microsoft servers (when I look up the IPs that are listed in the logs).

No "risks" have been found, scanning the computer. Should I just disable the firewall for a bit to let it connect, and then turn it back on? I don't understand what changed after updating the Oracle software. Did malware piggy-back a ride?

 

Thanks for your time. Let me know what information I can provide, if any, to make helping me easier.

Comments 14 CommentsJump to latest comment

Rafeeq's picture

Follow this document

 

Traffic has been blocked for the application host process for Windows Services Svchost.exe

 

http://www.symantec.com/business/support/index?pag...

pete_4u2002's picture

after looking into the image, you need to follow the above link shared by Rafeeq

Meece's picture

OK, I will, though if you have the time I would appreciate an explanation -- a) how come I've never had the pop-up in the past? and b) The blocked service (svchost) which I'm getting the pop up for is UDP not TCP...

pete_4u2002's picture

can you check the policy for the group the client reports to and let us know if the notification is enabled for the alerts?

 

 

Meece's picture

I'm sorry - you've lost me. I'm assuming you're not refering to gpedit.msc -- is the notification policy your referring to available in Symantec Endpoint Protection v.11? (as opposed to the Endpoint Manager.)

The only notification options I see are "Display Intrusion Detection notifications" (checked) and its sub-options (sound, length of time to display).

pete_4u2002's picture

i was referring to SEP firewall policy configured on SEPM.

can you post ther screen shot of the pop up message.

Ashish-Sharma's picture

HI

Try to allow ipv6 traffic

NTP - Network Threat Protection. IPv6 is initially blocked by default in SEP. You need to uncheck that option.

SEP client ->Network Threat Protection ->Option ->Configure Firewall Rules -> Allow all IpV 6 Traffic

Thanks In Advance

Ashish Sharma

 

 

SOLUTION
Ashish-Sharma's picture

HI,

Just to test, Could you try uninstalling the NTP protection from the Add /Remove Programs, restart the machine and check if that resolves the issue?

Thanks In Advance

Ashish Sharma

 

 

Meece's picture

I haven't gotten the message since I unchecked "Block IPv6 over IPv4 (Teredo) Remote UDP port 3544" so I think that fixed it actually :)

Ashish-Sharma's picture

hi,

Glad to Hear :)

If your issue are resolved please don't forgot mark as solution.Which comments best help you.

 

Thanks In Advance

Ashish Sharma