Endpoint Protection

Hello,

Server and clients running SEP 11 MR4 1a
XP clients are SP3 and i've run the latest windows update on them.

Two of my XP clients (the only 2 XP machines I have SEP installed on for testing) are unable to copy certain files to any of my other systems (most of which are not running SEP). Generally this is only with large files over about 800MB or so, but occasionally some larger ones get through OK. If i logon to the remote system I can pull from the two problematic XP clients no problem. Small files seem to always copy fine.

I had a look on the forum and noticed that some suggested the problem is caused by missing OS patches, but that is not possible in my case. This problem only started happening about 2 days ago.

I've read that it is possible to make these errors exceptions in the IPS policy, but that is not much of a solution and i'd prefer not to have to do that. Has anyone else experienced this problem and found a valid workaround or fix?

Thanks.
Nick.

Also i have run a complete scan with latest definitions on both XP machines and both are clean. I could not find the inst.exe file or anything like that on the computer. It looks to be a false positive but I don't really want to take the risk.

So that problem is when you copy files? Can you post some system or application log errors when you encounter this problem?

Hi Paul,

There is nothing in either the system or application logs. I've done some further testing, and it is not a size problem. It seems to be certain files. e.g. I can copy a large virtual machine disk file (2.6GB) no problem, but not a much smaller Ghost 2003 image file. I can copy some large ISO files, but not other smaller files with various extensions. There is nothing on the threat logs on any of my clients. If I run a report on attacks in SEPM, I get all the IP addresses of the clients i've had the problem on. Again if I do a full scan, it turns up nothing at all. I've checked the doco on the deloder worm, and none of the files mentioned (e.g. inst.exe) are on my system so i'm fairly sure its a false positive.

When I go to copy, I get the popup in the system tray alerting me to the deloder infection or the SID: 20386 MS MSRPCSS Attack detected message. I then cannot connect to that network location until I either disable/reenable SEP or delete and remap the network drive.

I have now tried copying the same files from a Win2K machine with SEP installed, and have the same problem with those certain files. I'd list the extensions but it's about half of all files i've tried, some just standard EXE files.

It looks as though the more recent IPS signatures have screwed me. All win2k machines and the XP machines have been fully patched as of today.

I'm really at a loss with this one. I was all ready to deply SEP to the majority of my clients when this happened all of a sudden.

Thanks,
Nick.

I see, have you checked this link?

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=20386

Hi Paul,

Yes I have, as I said everything is completely patched so i'm not sure what else I can do on that front if the vulnerability is with the OS.

When I look at the logs on the SEPM server:

[SID: 20386] MS RPCSS Attack (2) detected. Traffic has been blocked from this application: C:\WINDOWS\system32 toskrnl.exe
[SID: 21487] MSRPC Multiple Context IDS detected. Traffic has been allowed from this application: C:\WINDOWS\system32 toskrnl.exe
[SID: 20088] Deloder Worm Infection detected. Traffic has been blocked from this application: C:\WINDOWS\system32 toskrnl.exe
[SID: 20088] Deloder Worm Infection detected. Traffic has been blocked from this application: C:\WINDOWS\system32 toskrnl.exe


These started yesterday afternoon and a being gerated by XP and win2k clients.

Thanks,
Nick.

Have you checked this forum

https://www-secure.symantec.com/connect/forums/sid-20386-ms-rpcss-attack-2-detected-help-please

Hi Paul,

Yes i spent about 4 hours researching the problem before posting here. Quite a few people have had the problem, but I have not seen any solutions other than creating exceptions in the IPS policy. Is it possible the server IPS are corrupt?

NIck.

It could also be a possibility, but from your post.

[SID: 20386] MS RPCSS Attack (2) detected. Traffic has been blocked from this application: C:\WINDOWS\system32 toskrnl.exe <-- is this really toskrnl.exe??

I'm not sure I follow you? What do you mean by "is this really toskrnl.exe"  ??

Thanks.
Nick.

Hi naslanidis, i was referring to the file "toskrnl.exe", not sure if this is a system file. I believe Windows is using ntoskrnl.exe.

Hi Paul,

Yes you are correct. I just pasted what was in the log. The file is called ntoskrnl.exe in system32. It's interesting but it doesn't really help matters :)

Now if I add the SID numbers in the exceptions in the IPS policy I just get new SID numbers appear when I try and copy those same files. I really don't understand this.

Is any one else able to assist with this? I have opened a case with SYmantec Support but they have not been helpful. I do not want to assume it is a false positive if it is not, but all scans with SEP turn up nothing. I have used various process explorers and wireshark and while there is traffic on port 445 during file transfers, this appears to be legitimate SMB traffic. There is no flooding on port 445 or connections to external hosts or anything like that.

Any further assistance would be appreciated.

Thanks,
Nick.

Hi, are there any IP address involved on the log as the source of the attack?

Hi, the source IP is always the system I am trying to copy files from. If I do a report on risks found on SEPM, nothing comes up. The only log the entries appear on is the Network Threat Protection log on SEPM. As i've said previously, many files copy fine. It seems to only be some files that trigger this.

Obviously Symantec support urged me to treat it as a real threat and remove it, so I had to point out if it is a legitimate threat SEP is not capable of cleaning it. It does not appear on any scanning i've done. If I check for the files and registry entry in the removal instructions they sent me the files/registry values aren't there. I'm doing a scan with AVG at the moment to see if it picks anything up.  The traffic analysis has not been useful at all. The support person asked me to look for destination port 445, but that is a legitimate SMB port so it is hard to separate legitimate from threatening traffic. 

Thanks,
Nick.