Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Old Legacy software blocked by the SEP 12.1 RU1 MP1

Created: 11 Nov 2012 | 21 comments

Hi,

Some of my users in the office complained to me again becaus of this SEP 12.1 deployment, the most common now when it is working is:

SID 20903:  FTP generic command overflow detected

How can I make sure that this attack is put into the white list as this is happening between the internal server and the workstation in the office.

Thanks

Comments 21 CommentsJump to latest comment

John Santana's picture

see the above screen shot.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Dushan Gomez's picture

John,

Have you put the target server in question into the whitelisted server ?

Go to SEPM

then go to Clients Tab, select the Group, then go to Policies, then at the default location click on the intrusion prevention (edit)

then settings, and click the Excluded host, then add the IP address in there.

hope this helps. 

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

John Santana's picture

thanks Dushan for the reply.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

John Santana's picture

Dushan,

It doesn't work as I have tried that yesterday.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Dushan Gomez's picture

John,

How come that it doesn't work ?

if that still causing an issue, I suggest to log call to Symantec Enterprise Tech Support. But don't forget to share the solution here :-)

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

John Santana's picture

Thanks Ashish for the reminder.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

John Santana's picture

Ashish,

The whitelist trick doesn'ty work :-\ users still comlaint that their legacy application that uses FTP to transfer files into the UNIX server is still blocked by Symantec.

I guess the only way here is to roll back the Symantec AV deployment into 11.0.7 MP3

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

.Brian's picture

Can you post the log or screenshot of whats going on?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

John Santana's picture

lately I'm getting busy with various call regarding application malfunction (-_-)" this is mostly due to Symantec Endpoint Protection client v 12.1 RU1 MP1  rolled out to my WIndows XPSP3 users...

just now another call about another 3rd party application using Microsoft Outlook has been crashed, before it was working fine, so I wonder where can I find the log or event in the AV client to see which component did the blocking ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Alex_CST's picture

Can you try with the RU2 when it comes out today?  RU2 has fixes regarding XPSP3

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

John Santana's picture

Hi Alex,

I have upgraded the SEP client but somehow it doesn't work as expected.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

.Brian's picture

If this is caused by the IPS, rolling back to RU7 won't matter. The IPS signatures are the same whether it's 11.x or 12.1. You need to either whitelist the IP or disable the signature.

If you can check the logs, this may give a better idea of what's happening.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

John Santana's picture

I'll try by adding the binary file of the application to the white listi.

I'll keep you guys posted.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

John Santana's picture

So confused today (-_-)", the problem still exist, and the user still complaints that the new Symantec Endpoint broke it :-/

I have already upgraded tge client to RU2, but still no effect, the application is still not functioning as it should.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Ashish-Sharma's picture

HI,

Best bet you can raised support ticket for same

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

  • United States: 800-342-0652 (407-357-7600 from outside the United States)
  • Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
  • United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp

Thanks In Advance

Ashish Sharma

John Santana's picture

Yes, that is the next step :-/  

because I don't use that legacy application, it would be trickier to install on my WIndows 7 64 bit laptop of mine, because the user is on WIndows XP SP3 32 bit desktop.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Ashish-Sharma's picture

Hi John,

Always remember if you don't received any answer please don't waste time and raised support ticket.

Thanks In Advance

Ashish Sharma

John Santana's picture

Yes for sure, and I will also update this thread with the solution.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

.Brian's picture

Did adding the IP address to the Excluded Hosts list not work??

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

John Santana's picture

yes, unfortunately it doesn't work as the application is still not functioning properly. :-/

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.