Endpoint Protection

Hi for all of You,

I upgraded SEPM to 11.0.6 and from this time i have a problem with some laptops. Users noticed me, when they connect their laptop to their own router in their flats SEP detects it as DoS attack and blocks all the network traffic from router's IP. Is it possible to maintain security and to enable them to connect to their home network? I could unmark the checkbox "Automatically block an attacker's IP address" but i'm affraid that will be unsecure, am I right?

Unmarking the Enable denial of service detection" option in Intrusion Prevention Policy Settings will resolve this issue. But it is a work around not the solution.

The job of Automatically block an attacker's IP address is to Block all the communication from a source host for the specified number of seconds when the client detects an attack. For example, if the client detects a denial-of-service attack, the client blocks all traffic from the originating IP address. This feature is also called active response.This option is enabled by default in the SEPM

What you can do is  Exclude the False Positive  in the Intrusion prevention rule


Title: 'How to add an exception for Intrusion Prevention Policy to allow a specific ID through Symantec Endpoint Protection Manager'
Document ID: 2009110213020648
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009110213020648?Open&seg=ent

It is a known issue with RU6
Refer this KB 
Symantec Endpoint Protection client Release Update 6 is detecting a Denial of Service attack of type "UDP Flood Attack" from your DNS server.

Go to Intrusion prevention policy--->Exceptions-->add--->UDP Flood Attack (You can find the SID Id which will be present in the blocking message.)......

Go to Intrusion prevention policy-Settings-Excluded hosts, and add the  ip address of the  router to the  exclusion. see attached.

I have found like you, the DoS bug mostly effects users connecting to the VPN over their personnal routers. To workaround this issue I created a seperate group in the SEPM and disabled DoS protection in the intrusion prevention policy, finally I moved the VPN users to that group. I think I saw somewhere in the forum that this bug will be fixed in RU6 MP1. I'm not 100% sure though.

Mike

Thank You so much for Your workarounds, but don't You think that all these suggestions reduce security (DoS protection disabling, allowing all traffic from unknow router). Other case is that i have no SID number in details of NTP Logs.

Are you not getting a pop up at the time of this blocking message?The SID No will be present in that message..

You can also find the same in SEPM.Go to Monitor-->logs--->Network threat protection-->Attacks...

There is a risk in creating the exclusions.But this point of time I am not finding any other solution.Other wise do you have RU5 package?Remove this RU 6 and install RU5.

Hello
When checking the site www.virustotal.com your antivirus shows the presence of a virus in the test file autorun.exe
http://www.virustotal.com/ru/analisis/50cbcc940a75da366f6b380c0c5c953f67d7cdc2fba3969cc7b948d90a9e8620-1278681378
But the virus did not show any major antivirus programs like NOD32, DrWeb etc.
Please check the sent files in your anti-virus laboratory more carefully, in the case of a virus please send a reply to foto@crimea.com In the absence of the virus you should also send a response to foto@crimea.com and delete the files from the list viruslist and virus definitions.
The program is written in Delphi and uses the shell to view the html-file and start the video, as well as remove the program from your computer.


 
 

wow, glad that I'm not alone in this matter.

So when will be the fix for this problem ? I also got problem with the DWH###.TMP files being quarantined as viruses, so it is all  because of using SEP 11.0.6 ?

Please, give me answer about false positive antivirus faster and delete the files from the list viruslist and virus definitions
 

Hi Vitaly,

(If you are querying a different suspected False Positive than this thread's UDP Flood, you're more likely to receive a response by creating a new thread in the forum.) 

If you feel that SEP or SAV are detecting files that are in fact clean, this article may help:  Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010319585948)

It may be best to open a case with Symantec Technical Support if you need to continue, after that-- this forum is an open community of knowledgable volunteers rather than a method of contacting Symantec Security Response.

Hope this helps!!

Thanks and best regards,

Mick

 

HI,

I found Domain Controller has a EndPoint security log said that there were DOS attacks & dropped from external sources but my firewall log said this server is pinging to these IPaddresess. So in this case who is correct?