Endpoint Protection Firewall - svchost contacting MS's servers
Created: 12 Dec 2012 | Updated: 12 Dec 2012 | 14 comments
This issue has been solved. See solution.
Apologies if this is in the wrong place.
I just upgraded Oracle's VirtualBox and its user extensions.
Since, I've been getting pop-ups from Symantec telling me that it is blocking svchost.exe. Looking at the logs, it appears to be blocking contact to a couple of Microsoft servers (when I look up the IPs that are listed in the logs).
No "risks" have been found, scanning the computer. Should I just disable the firewall for a bit to let it connect, and then turn it back on? I don't understand what changed after updating the Oracle software. Did malware piggy-back a ride?
Thanks for your time. Let me know what information I can provide, if any, to make helping me easier.
Discussion Filed Under:
Comments 14 Comments • Jump to latest comment
Follow this document
Traffic has been blocked for the application host process for Windows Services Svchost.exe
http://www.symantec.com/business/support/index?pag...
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
can you post the screen shot?
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
http://postimage.org/image/vfvb3fm17/full/
Thanks
after looking into the image, you need to follow the above link shared by Rafeeq
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
OK, I will, though if you have the time I would appreciate an explanation -- a) how come I've never had the pop-up in the past? and b) The blocked service (svchost) which I'm getting the pop up for is UDP not TCP...
can you check the policy for the group the client reports to and let us know if the notification is enabled for the alerts?
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
I'm sorry - you've lost me. I'm assuming you're not refering to gpedit.msc -- is the notification policy your referring to available in Symantec Endpoint Protection v.11? (as opposed to the Endpoint Manager.)
The only notification options I see are "Display Intrusion Detection notifications" (checked) and its sub-options (sound, length of time to display).
i was referring to SEP firewall policy configured on SEPM.
can you post ther screen shot of the pop up message.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
OK, yeah, this is an unmanaged version of SEP
http://postimage.org/image/r14ef4dxf/
Thanks for your time.
HI
Try to allow ipv6 traffic
NTP - Network Threat Protection. IPv6 is initially blocked by default in SEP. You need to uncheck that option.
SEP client ->Network Threat Protection ->Option ->Configure Firewall Rules -> Allow all IpV 6 Traffic
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Ah, I see - Teredo
HI,
Just to test, Could you try uninstalling the NTP protection from the Add /Remove Programs, restart the machine and check if that resolves the issue?
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
I haven't gotten the message since I unchecked "Block IPv6 over IPv4 (Teredo) Remote UDP port 3544" so I think that fixed it actually :)
hi,
Glad to Hear :)
If your issue are resolved please don't forgot mark as solution.Which comments best help you.
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Would you like to reply?
Login or Register to post your comment.