Endpoint Protection

 View Only
  • 1.  [SID: 20386] OS Attack: MS RPCSS Attack CVE-2004-0116 2 attack blocked.

    Posted Aug 01, 2012 06:19 PM

    I have a user that is in a remote office and has a public IP. Symantec keeps popping up the message below every 5 to 10 minutes. He is using Windows 7 all MS updates are current. I find the log in the Client Management log.

    8 8/1/2012 11:13:09 AM Intrusion Prevention Critical Incoming TCP 75.109.151.136 45595 N/A 75.109.188.XX 135 N/A \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE 20386 72052 OS Attack: MS RPCSS Attack CVE-2004-0116 2   USER-ID user-PC Default 1 8/1/2012 11:12:58 AM 8/1/2012 11:12:58 AM [SID: 20386] OS Attack: MS RPCSS Attack CVE-2004-0116 2 attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE

     

    Any help in resolving this would be appreciated.

     



  • 2.  RE: [SID: 20386] OS Attack: MS RPCSS Attack CVE-2004-0116 2 attack blocked.

    Posted Aug 01, 2012 06:44 PM

    Have you ran a scan with the latest definiitons?

     

    Run support tool and run power eraser. if it does not find anything and you ran a scan with the latest definitions then run the support tool and provide it to support. Provide a full data grab.

     

    Download the support tool and run the symantec PowerEraser.

    http://www.symantec.com/business/support/index?page=content&id=TECH105414

     

    OS Attack: MS RPCSS Attack CVE-2004-0116 2

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20386



  • 3.  RE: [SID: 20386] OS Attack: MS RPCSS Attack CVE-2004-0116 2 attack blocked.
    Best Answer

    Posted Aug 01, 2012 07:28 PM

    Looks like a worm trying to infect your system by exploiting an old vulnerability. Windows 7 is not affected by the vulnerability as it is pretty old.

    The IPS is doing its job by blocking the attempt. You said you are patched so you should be fine.