Video Screencast Help

quicktime shut us down

Created: 14 Jan 2008 • Updated: 22 May 2010 | 5 comments

These entries are from the client management security log.

It made it difficult to get to the internet and findout what was happening.  The new definitions seem to have been released over the weekend.





[SID: 22753] HTTP QuickTime RTSP Connection Status BO detected.
Traffic has been blocked from this application: C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

[SID: 22753] HTTP QuickTime RTSP Connection Status BO detected.
Traffic has been blocked from this application: C:\Program Files\Mozilla Firefox\firefox.exe

[SID: 22753] HTTP QuickTime RTSP Connection Status BO detected.
Traffic has been blocked from this application: C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE



Comments 5 CommentsJump to latest comment

Adrian Wilkinson's picture
Hi,
 
Just to let you not that you're not alone, we're seeing the exact same problem.
  • AV/AS Definitions dated 13th January 2008, r18
  • Proactive Threat Protection dated 11th January 2008, r39
I'm not able to see the name of the process responsible in the security log but it blocking access to our main file server for ten minutes a few seconds afterwards seeing the message.  I've removed QuickTime and the QuickTime ActiveX IE control but the problem persists.
 
Regards, Ade.
knightstorm's picture

I know we're not alone.  Thye did the same thing with Norton 360.  I had to turn off intrusion protection  - the custom exception  list does not work.

knightstorm's picture

Symantec is releasing an updated IPS signature that will fix this.  It still doesn't fix the issue with the IPS exception not working.

wingIT's picture
I has same problem. My clients thought my Proxy Server (ISA) was attacking them (the logs gave me all the info) and kept blocking for 10 mins. I realised that it wasn't the HTTP QuickTime RTSP Connection Status BO attack that the logs were claiming as removing Quicktime made no odds, and after all this is symantec we are dealing with and they are famed for releasing updates and defs that cause unexpected havoc and error messages that aren't entirely truthful.
I solved it by putting my proxy server ip in the "Excluded Hosts" policy and updating client policy with that info.
All ok so far.
My trust in Symantec is getting lower every day.
BigNose's picture
Hi,
 
I got the same problem (client connection to ISA server was blocked when new definition update on January).
I modified the Intrusion Prevention Policy below and its worked fine.
 
1. Check mark Enable excluded hosts and add the IP/Host of ISA server on Excluded hosts list
2. Add [SID: 22753] in Intrusion Prevention Exceptions by select in the list
 
Good luck,
BigNose