Video Screencast Help

SEP 12 Traffic Log

Created: 08 Dec 2012 | 5 comments

I deleted a Trojan FakeAV file today.  The logs now look fine, except the traffic log shows a repeated block.  Here's one:

12/8/2012 3:29:35 PM Blocked 10 Incoming UDP FE80:0:0:0:E2B9:BAFF:FE35:E7D2 E0-B9-BA-35-E7-D2 5353 FF02:0:0:0:0:0:0:FB 33-33-00-00-00-FB 5353  XXXXX Home-PC Default 1 12/8/2012 3:28:34 PM 12/8/2012 3:28:34 PM Block_all 

Does this indicate that I still have an infection issue?

Comments 5 CommentsJump to latest comment

Ashish-Sharma's picture

Check the Traffic and packet logs, see what traffic is generated during this period that SEP NTP is blocking,

Thanks In Advance

Ashish Sharma

pete_4u2002's picture

check the firewall rule name "Block_all" it is that traffic hence it is being blocked. I do not think it is trojan traffic.

ᗺrian's picture

Is there a remote IP address showing in the log?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ssmith1974's picture

Thanks all.  Will review Pete's link and the rule.  Here's what the packet log is generating for the blocked activity, which continues just about every minute.  From other posts relating to similar issues, it looks like this is innocuous, but after yesterday's attack/attempt to use the PC as a spam bot, I just want to be sure.

Ethernet II (Packet Length: 149)
 Destination:  33-33-00-01-00-02
 Source:  00-1d-60-72-ec-bc
Type: IP (0x86dd)
Internet Protocol
 Version: 6
 HeTraffic Class: 0
 Flow Label: 0
 Payload Length: 95
 Next Header: 17
 Hop Limit: 1
 (UDP - User Datagram Protocol)
 Source: FE80:0:0:0:CD08:18AB:3FE:8581
 Destination: FF02:0:0:0:0:0:1:2
User Datagram Protocol
 Source port: 546
 Destination port: 547
 Length: 8
 Checksum: 0x7325 (Incorrect - Checksum should be 0x7325)
Data (95 Bytes)
ader Length: 40 bytes

pete_4u2002's picture

check the destination, block the traffic if it is not required.