Endpoint Protection

 View Only

  • 1.  SEP blocking svchost.exe

    Posted Nov 29, 2015 11:05 AM

    Home system.  Unmanaged client. In a workgroup of 3 pcs (no Macs), with wireless connectivity through the router to smart phones (2) and Android tablets (2) and a Chromcast dongle.  Wired printer direct to the router.  Just recently in the last two weeks, I started getting this now famous, "Symantec has been blocked for the following application svchost.exe" warnings every 3-4 minutes.  Only appears on one PC.  Searched around these forums - many problems similar to mine but not exactly alike.  Looked at IPv6 implementation - it's turned off.  The first line is a good sample of the logged entry...

    SEP_Blocking_2015-11-29_10-22-54.jpg

    SEP_Blocking_2015-11-29_10-21-54.jpg

     

    So, what is it looking for?  I've attached screenshots of the traffic log, tryng to figure out exactly what device this PC is looking for.  The address:  239.255.255.250 responds to ping but it's outside my network.  Looks sketchy but perhaps it's in the "multicast" range - is that the Chromecast dongle?  It's said you need to do detective work to find out what device  (uPNP) the computer is looking for.  But my question is:  What's exactly meant by "detective work?"

    If I can't figure this out, I'd be willing to "ignore" the alert.  How can I set SEP to ignore this alert so that I'm not constantly pestered by it?

    Thanks.

    Herbo

     



  • 2.  RE: SEP blocking svchost.exe

    Posted Nov 29, 2015 11:08 AM

    It is blocking remote port 1900, correct? Kinda hard to see in the screenshot. But if so, this is the rule to block UPnP. It is a default rule in the SEPM firewall policy or unmanaged client.

    Either you can turn off UPnP discovery (you should, its vulnerable to attacks) or turn off alerts.

    How to disable UPnP:

    https://techjourney.net/enable-or-disable-network-discovery-upnp-in-windows/

    Now, is this an unmanaged or managed client?



  • 3.  RE: SEP blocking svchost.exe

    Posted Nov 29, 2015 11:48 AM

    Hello & thanks for the quick response.  Mightly decent of you!

    See:  First line of OP - unmanaged client.  And, yes it is blocking local port 1900.  Shoulda made the screenshot larger, I know.

    Changed the Network Discovery setting to "off" on my private and for the public profile.  Let's give it a good half hour under those circs.

     

    Herbo

     

    Update at 11:47 EST.  Rats!  Still coming up...

     



  • 4.  RE: SEP blocking svchost.exe

    Posted Nov 29, 2015 11:56 AM

    Is it coming from a remote host instead of your local?

    Either way, it's UPnP causing the problem if on port 1900.

    With the unmanaged client there is no ability to disabling logging on certain rules (unlike a managed client).

    You're limited to:

    • ignoring it
    • creating a rule to allow it
    • disable UPnP
    • disabling alerts. Not ideal since you would then have to monitor the Security log pretty regularly.


  • 5.  RE: SEP blocking svchost.exe

    Posted Nov 29, 2015 01:20 PM

    These transmissions are all "Outbound" according to the log. 

    Do you need a larger size log screenshot so you can read this thing?

    Let's see...

    • ignoring it

    OK, I'm already doing that but at the "cost" of an imperial annoyance...

    • creating a rule to allow it

    This is too global, that is, if a bad guy gets through and starts using that port and protocol, I'm wide open to attack.  Rules need to be created under an admin account, right?

    • disable UPnP

    Been there, done that, doesn't work.  See above.  Or is there a deeper disabling setting I'm not aware of?

    • disabling alerts. Not ideal since you would then have to monitor the Security log pretty regularly.

    Agian, probably too global and way too much inconvenience.

    Idea:  Take one PC and make it a "Manager". Let it "manage" the others.  Some work for not much gain.

    Am I on target witth this "analysis"?  Maybe I just should ignore it.  I do wonder why all of a sudden this comes to be?  Any ideas?

    Thanks,

    Hoibo



  • 6.  RE: SEP blocking svchost.exe

    Posted Nov 29, 2015 01:27 PM

    Yea you got it, disalbing is the way to go because UPnP is not really necessary. Here's MS official doc on disabling:

    http://windows.microsoft.com/en-us/windows/enable-disable-network-discovery#1TC=windows-7

    Aside from why disabling doesn't work for you, I don't know. It's straightforward per the article. I've done this before as well (Had SEP alerts and knew UPnP was a vulnerable service so I wanted to disable.)

    What is your exact SEP client version? Maybe you're running an old version with a known bug for this but I'd have to look.



  • 7.  RE: SEP blocking svchost.exe

    Posted Nov 29, 2015 07:33 PM

    Ver 12.1.5 (RU5)

    Need to update this?  I'll have to look to see what the latest is on SEP.

    Herbo



  • 8.  RE: SEP blocking svchost.exe

    Posted Nov 29, 2015 08:07 PM

    Latest is 12.1.6 MP3, so you're roughly four versions behind, although I don't remember any specific bug fixes related to UPnP.

    Release notes for all 12.1 versions are here:

    http://www.symantec.com/docs/TECH163829

    ...if you want to take a peek.



  • 9.  RE: SEP blocking svchost.exe

    Posted Nov 30, 2015 06:19 AM

    Hello Herbo,

    Please check the following MS article which explains that . I hope this explains the reason for the generation of the concerned traffic.

    Traffic Is Sent After You Turn Off the SSDP Discover Service and Universal Plug and Play Device Host

    You may either follow the resolution provided in the article or just stop and disabled the SSDP Discovery service and the Windows Messenger service (hopefully you don't use it).



  • 10.  RE: SEP blocking svchost.exe

    Posted Dec 02, 2015 06:38 AM

    Any updates on this issue? Were you able to stop the generation of this traffic?