Endpoint Protection

I have a server in a remote location, and it is intermittently dropping its connection, when I was able to access  that server, I saw the following in the window. I need to know if this can be the cause of it dropping from the Network, this is a server with SEPM 11.5 on it...


The listed files were caught in the  C:\DATA\NETLOGON folder.
Please assist.

 Hi Update to the latest rapid release & check.

Here is the link :  http://www.symantec.com/avcenter/rapidrelease.download.html  

IF still the same issue then contact Tech support

OK, but why?

 By Default when a computer is found attacking the IPS blocks it for 600 secs (10 mins)
So as there were infection on this computer and it might be trying to attack other computers so its IP address was blocked by them for 600 secs.

...and knocking the users who report to that server offline. When it blocks the others, it also blocks me from getting to it. I think it is a good idea to exclude the C:\DATA\NETLOGON folder from  the realtime scan and run a full scan on this machine nightly. Thoughts?? Comments?

Exclusing Netlogon doesn't look a good idea.
As netlogon is shared to everybody if thats infected everybody's infected. 

In SAV 10.x you had liberty to do so but not in SEP.Once you put it in centralized exception it is excluded from all scans.

Rather I would suggest you to Edit the IPS policy in SEPM go to Settings and Uncheck "automatically block attackers IP ........"

Run full scan and all make sure this computer is clean and you are not getting any IPS Pop-ups or IPS logs complaining about this server.
Set the IPS policy back to block attackers IP.

Rather I would suggest you to Edit the IPS policy in SEPM go to Settings and Uncheck "automatically block attackers IP ........"

Set the IPS policy back to block attackers IP.

?

But, the second part, how to I designate it to block that one specific IP???

Title: 'Symantec Endpoint Protection Manager - Intrusion Prevention - Policies explained'
Document ID: 2008032011043948
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008032011043948?Open&seg=ent

 

 Well you can Exclude a host in IPS. In that way AV will work on that PC but IPS won't once PC is cleaned you can remove that server from Excluded host.

But, what if I want to block the offending IP, say the attack came from 10.1.2.4, the active response is now disabled, and I won't have to wait 600 seconds for the infected machine to come back to life, but I still want to block the culpirit pc from accessing it again. I would like to ideally block out ip 10.1.2.4.

How can I do this? The option I see, ALLOWS traffic from it, I would like to do the opposite.

Thank you.

You can chnage the wait time from 600 seconds to whatever you want.

Automatically block an attacker's IP address : Blocks all the communication from a source host for the specified number of seconds when the client detects an attack. For example, if the client detects a denial-of-service attack, the client blocks all traffic from the originating IP address. This feature is also called active response.

 

 Is the attacking computer on your network ?
If yes then patch it and clean it first.
 
If not then in the excluded host list give the range of IP address you use in your network.
In this case only outsiders IP address will be blocked.

and pulled it from the client end on the server, yet the timing out still occurs. I have also downloaded and ran the latest rapid release definitions.

1. Make sure policy is assigned to the group in which you have that server
2. Make sure client has updated the policy -right click-update policy
3.Make sure the clients are in Server Control and not in Client Control.

Number 3, not so much...

3.Make sure the clients are in Server Control and not in Client Control.

How is this done?

...enabled I want to disable it, but then the client freaks out, and is red and says this has problems, and tells me to fix it, with a giant fix button. How can I make it so I can disable the NTP on this box and not have that warning?

The option was easier in Pre MR3 versions just uncheck Teefer2 but now you can do itwith policies.

In the firewall policy ADD a  blank rule and move it to the top ( allow all)
thus firewall is OFF
In the Intrution prevention policy as shown the above policy settings uncheck
all of them
Enable IPS, Enable Port Scan, Enable DOS..

and the Server IP died down at the same time...I wonder if that is anything to do with SEP now.

I am new to SEP - but my problem looks similiar to the one mentioned above.

I have Intrusion Prevention policy set to block attackers' IP after 600 Secs and I am bound to follow that policy. I have couple of backup servers which tries to initiate connection with the client and this can stretch upto 30 mins - therefore identifying the backup server as attacker's IP - it blocks the client and hence terminates the connection with the backup server. Please suggest a solution to overcome this problem.

I can think of couple of options:
1. Exclude host.
2. Add the port details (Client/Server port used for communication) in the "Network Services" section.

 Hi Ashwini and welcome to the SEP team,

Just wanted to let you know that you posted on a thread that has already been solved, so a lot of our users will ignore it. I want you to get the most help you can so you should open a new thread for you subject and then provide a link back to this one if you feel that it is relevant.

Thanks,
Grant-