Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

[SID: 20386] OS Attack: MS RPCSS Attack CVE-2004-0116 2 attack blocked.

Created: 01 Aug 2012 • Updated: 09 Feb 2013 | 2 comments
This issue has been solved. See solution.

I have a user that is in a remote office and has a public IP. Symantec keeps popping up the message below every 5 to 10 minutes. He is using Windows 7 all MS updates are current. I find the log in the Client Management log.

8 8/1/2012 11:13:09 AM Intrusion Prevention Critical Incoming TCP 45595 N/A 75.109.188.XX 135 N/A \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE 20386 72052 OS Attack: MS RPCSS Attack CVE-2004-0116 2   USER-ID user-PC Default 1 8/1/2012 11:12:58 AM 8/1/2012 11:12:58 AM [SID: 20386] OS Attack: MS RPCSS Attack CVE-2004-0116 2 attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE

Any help in resolving this would be appreciated.

Comments 2 CommentsJump to latest comment

kimberlyw's picture

Have you ran a scan with the latest definiitons?

Run support tool and run power eraser. if it does not find anything and you ran a scan with the latest definitions then run the support tool and provide it to support. Provide a full data grab.

Download the support tool and run the symantec PowerEraser.

  OS Attack: MS RPCSS Attack CVE-2004-0116 2

Brɨan's picture

Looks like a worm trying to infect your system by exploiting an old vulnerability. Windows 7 is not affected by the vulnerability as it is pretty old.

The IPS is doing its job by blocking the attempt. You said you are patched so you should be fine.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.