SEP 12 Traffic Log
Created: 08 Dec 2012 | 5 comments
I deleted a Trojan FakeAV file today. The logs now look fine, except the traffic log shows a repeated block. Here's one:
12/8/2012 3:29:35 PM Blocked 10 Incoming UDP FE80:0:0:0:E2B9:BAFF:FE35:E7D2 E0-B9-BA-35-E7-D2 5353 FF02:0:0:0:0:0:0:FB 33-33-00-00-00-FB 5353 XXXXX Home-PC Default 1 12/8/2012 3:28:34 PM 12/8/2012 3:28:34 PM Block_all
Does this indicate that I still have an infection issue?
Comments 5 Comments • Jump to latest comment
Check the Traffic and packet logs, see what traffic is generated during this period that SEP NTP is blocking,
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
check the firewall rule name "Block_all" it is that traffic hence it is being blocked. I do not think it is trojan traffic.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Is there a remote IP address showing in the log?
SEP Knowledge Base
Endpoint SWAT
Thanks all. Will review Pete's link and the rule. Here's what the packet log is generating for the blocked activity, which continues just about every minute. From other posts relating to similar issues, it looks like this is innocuous, but after yesterday's attack/attempt to use the PC as a spam bot, I just want to be sure.
Ethernet II (Packet Length: 149)
Destination: 33-33-00-01-00-02
Source: 00-1d-60-72-ec-bc
Type: IP (0x86dd)
Internet Protocol
Version: 6
HeTraffic Class: 0
Flow Label: 0
Payload Length: 95
Next Header: 17
Hop Limit: 1
(UDP - User Datagram Protocol)
Source: FE80:0:0:0:CD08:18AB:3FE:8581
Destination: FF02:0:0:0:0:0:1:2
User Datagram Protocol
Source port: 546
Destination port: 547
Length: 8
Checksum: 0x7325 (Incorrect - Checksum should be 0x7325)
Data (95 Bytes)
ader Length: 40 bytes
check the destination, block the traffic if it is not required.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Would you like to reply?
Login or Register to post your comment.