Video Screencast Help

IPS is blocking Traffic from internal vulnerability Check Server

Created: 04 Feb 2013 • Updated: 05 Feb 2013 | 4 comments
This issue has been solved. See solution.

Hi All,

Good Day,

We are using Sep 12.1 RU 1 MP 1 and doesn’t using SEP firewall module on Machines and some of the Machines IPS is blocking an application and logging an event with Severity: Critical, while we are trying to run our vulnerability Check from VA application?

We need to exclude all traffic from VA server, and how we can achieve this?

A Sample Risk Log has been attached


Event Time: 04/02/2013 13:52:20

Begin Time: 04/02/2013 13:52:23

End Time: 04/02/2013 13:52:23

Occurrence: 1

Signature Name: OS Attack: MS SMB2 Validate Provider Callback CVE-2009-3103

Signature ID: 23471

Signature Sub ID: 72833

Intrusion URL: N/A

Intrusion Payload URL: N/A

Event Description: [SID: 23471] OS Attack: MS SMB2 Validate Provider Callback CVE-

2009-3103 attack blocked. Traffic has been blocked for this application: SYSTEM

Event Type: Intrusion Prevention

Hack Type: 0

Severity: Critical

Application Name: SYSTEM

Network Protocol: TCP

Traffic Direction: Inbound

Remote IP: X.X.X.X

Remote MAC: N/A

Remote Host Name: N/A

Alert: 1

Local Port: 445

Remote Port: 3287


Thanks in advance




Comments 4 CommentsJump to latest comment

_Brian's picture

You can add the IP of the VA server in the exlcuded hosts file in the IPS policy. See here

Setting up a list of excluded computers

Article:HOWTO81159  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL


AjinBabu's picture

Hi Brian,

Thanks for your response.

Provide article is so much impressing!!!! But is it  applicable to sep 12.1 Ru1 MP 1  and we are not using SEP firewall on Machines ?



_Brian's picture

Yes it still applies in your case. Firewall and IPS are apart of Network Threat Protection but are separate components. You can use both or only one.

guwy's picture


In my opinion it is applicabale in your case. Or You can use application learning and you should add it to exclusion list.