Endpoint Protection

I am running SEP version 11.0.2000.1567,I have a PC that gets this error every night at different times, "[SID: 20386] MS RPCSS Attack (2) detected. Traffic has been blocked from this application: C:\WINDOWS\system32\svchost.exe". I see that it is trying contact other PCs in my network when I look at some reports on the SEP Manager.

I have done some searches looking for a way to find out what this is but I don't see anything that helps. Can anyone tell me how I can investigate this and tell which running svchost.exe process is getting blocked and then how to track down the program that is associated with the svchost process in question?

Or if anyone knows an email address for Symantec Support that someone will actually reply to then I can send them the question.

Thanks in advance for any help that you can provide!

 

There is an availbale application, provided by Microsft called Process Explorer.  What it does, is allows you to see what "sub-porcess" within a process, such as SVCHOST.exe is trying to do what, or is currently doing what on your machine.

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

This could allow you to get a better idea of what is going on.

Also, have you looked at this article from Symantec, which links to Microsoft hot fixes associated with fixing a "vulnerability/exploit/ of the RPC service?

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=20445

Hi

You can check the thread below as the same issue is being discussed here:

https://www-secure.symantec.com/connect/forums/sid-20386-ms-rpcss-attack-2-detected-help-please?sym=TRUE


Cheers,
Aniket

Hi,

       As per your comment you are using a older version of SEP i.e. SEP version 11.0.2000.1567. The latest SEP version is 11.0.4014. You can download it from this location.

https://fileconnect.symantec.com/licenselogin.jsp?localeStr=en_US

Its always a good practice to update the software to the latest version. Please revert in case you require help.

Thanks to all that a have responded. Right after I posted this we had a server go down and I had to handle that instead.

First off Sandip, I can't really update this client yet however we will be updating all clients over the next month or so. That being said, the client is stopping this for running and contacting the remote hosts like it should I just need to find out what it is so I will know if I should clean it or allow it so the warning go away. I think it is a good suggestion but it looks like with this version it is seeing that there’s something running and it is blocking so I am not so sure updating would solve anything.


Aniket, I did see that post but I am not sure that it applies here. I say that because the end result of that was if the system shows no infection status then it is safe. I don't think that is always true and I don't think it is true here. I will explain this in just a second.


Jason, I have installed Process Explorer and I think it is a good program but I am not so sure it is helping me. I will explain this in just a second. I did try to install the Microsoft hot fixes associated with fixing a "vulnerability/exploit/ of the RPC service but since this PC is up to date on all Microsoft updates then it was already installed.

Again thank you all for your suggestions I have followed each one of them but right now I don't think the can help me. Allow me to explain further and you will see why.

Even though it says there is no infection and I have scanned this PC about 5 times and even though the Process Explorer shows me the values of the svchosts that are running. I still think there is something else going on. First of all if this is something new then it is possible for it not to be classified as an infected PC. Second the Process Explorer only shows me running processes, here's where it gets tricky to me. Each of these 'Intrusion Prevention' messages occurs between 4 A.M. and 5 A.M. when no one is on the system.

I have checked the Scheduled Tasks on the PC and nothing is set to run at this time of day. And I think that what ever this is does not show in the Process Explorer because it doesn't run until then.

Does all of this make sense? Am I thinking about this correctly? Any suggestions on how I can track what this is when it fires up at 4-5 in the morning when no one is on the system?

Again thanks for your input and I look forward to more feedback on this issue!

Hi,

We have released the latest version of endpoint i.e. MR4 MP2. You can try upgrading and let us know the status.