Endpoint Protection

 View Only

  • 1.  Only client is blocked!

    Posted Apr 08, 2012 08:25 AM

    Hi

     

    In our network, there is a windows sbs 2003 domain controller where all the client pcs are logging and one pc made symantec 12.1 endpoint protection server providing antivirus updates to all the client pc's.

     

    The domain controller is unmanaged and the network is working quiet good. But for weeks , only one pc in our network is loosing the connectivity between the dc many times a day and at that moment when I check the dc , I used to get the message "symantec endpoint protection blocked port scan ...... ip 192.168.40.71". the ip of the blocked pc I confirmed.

     

    It will be blocked for 10 minutes then after restarting the same client it will work.

     

    N.B: iI removed the tick from port scan detection in dc then the problem is solved.

     

    Anybody please help me to solve this issue permanently without removing the tick



  • 2.  RE: Only client is blocked!

    Posted Apr 08, 2012 09:45 AM

    It is possible that the PC being blocked is infected and so the SEP client on the DC is blocking it.

    check the PC for infecetions.

    get the latest defs.

    reboot the machine in safe mode

    do a full scan

    The following docs may help.

    Best practices for troubleshooting viruses on a network

    http://www.symantec.com/business/support/index?page=content&id=TECH122466

    Security Best Practice Recommendations
    http://service1.symantec.com/support/ent-security.nsf/docid/2009010808340848?Open&seg=ent

    Best practices for responding to active threats on a network
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010011510455048
     
    Security Response recommendations for Symantec Endpoint Protection settings
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020308592948

    How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files http://www.symantec.com/business/support/index?page=content&id=TECH141402

     

     



  • 3.  RE: Only client is blocked!

    Broadcom Employee
    Posted Apr 08, 2012 09:49 AM

    check the machine which is trying to scan the port



  • 4.  RE: Only client is blocked!

    Posted Apr 08, 2012 11:56 PM

    Have you installed NTP

    Regards

     



  • 5.  RE: Only client is blocked!

    Posted Apr 09, 2012 01:55 AM

    Hi

     

    Yes it's installed by default



  • 6.  RE: Only client is blocked!

    Trusted Advisor
    Posted Apr 09, 2012 07:02 AM

     

    Hello,

    Please Try this:

    Step 1) Check the Security Logs under Client Management for Denial of Service Detections for the IP address to confirm the issue. 

    To resolve the issue you will need to disable Denial of Service detection within your Instrusion Prevention policy or you will need to add the IP address in "Excluded Hosts."

    To add the printer to "Excluded Hosts":

    1.  Open your Intrusion Prevention Policy.

    2.  Choose to Settings on the left. 

    3.  Check the box for Enable excluded hosts and then click the Excluded Hosts... button.  

    4.  Add the IP address of your printer and choose Okay.

     

    OR

    Also, try the following:

     

    STEP 2) To create an exception for Intrusion Prevention Policy to allow a specific ID:

    1. Open Symantec Endpoint Protection Manager console .
    2. Select 'Policies' tab.
    3. Under 'View Policies', select 'Intrusion Prevention'.
    4. Select Intrusion Prevention policy, and under 'Tasks' select 'Edit the Policy'.
    5. Select 'Exceptions' tab.
    6. Click on 'Add...' button.
    7. Search and select ID blocked.
    8. Click on 'Next>>' button.
    9. Change 'Action', from 'Block' to 'Allow'. Click on 'OK' button.
    10. Check if the exception edited has been added to 'Intrusion Prevention Exceptions' list.
    11. Click on 'OK' button for save changes in the Intrusion Prevention policy.

     

    OR

     

    STEP 3 ) Disable DoS detection:

    1.  Log-in to the Symantec Endpoint Protection Manager (SEPM)
    2. Click Policies then click Intrusion Prevention
    3. Edit the intrusion prevention policy that applies to the client in question
    4. Click Settings
    5. Remove the check-mark next to Enable denial of service detection

    Once the policy is applied to the client the DoS detections (and associated Active Response if configured) should no longer occur.

    Please note, this will completely disable DoS detection on the client. There is not currently a way to add an exclusion for DoS detection.

     

    OR

     

    STEP 4) Enabling Smart traffic filtering

    http://www.symantec.com/docs/HOWTO27095

     

    OR

     

    STEP 5) TRY uninstalling the Network Threat Protection and Application and Device Control by:

    Going to Control Panel> from Add/Remove Programs > Highlight Symantec Endpoint Protection and Click on Modify.

    Disable the Network Threat Protection and Application and Device Control

     

    I am sure the first step would help you . However the other steps are just for incase.

    Hope that might help you.



  • 7.  RE: Only client is blocked!

    Posted Apr 10, 2012 07:39 AM

    Hi

     

    I will check it and update the status today evening