Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

[SID: 20386] OS Attack: MS RPCSS Attack CVE-2004-0116 2 attack blocked.

Created: 01 Aug 2012 • Updated: 09 Feb 2013 | 2 comments
This issue has been solved. See solution.

I have a user that is in a remote office and has a public IP. Symantec keeps popping up the message below every 5 to 10 minutes. He is using Windows 7 all MS updates are current. I find the log in the Client Management log.

8 8/1/2012 11:13:09 AM Intrusion Prevention Critical Incoming TCP 75.109.151.136 45595 N/A 75.109.188.XX 135 N/A \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE 20386 72052 OS Attack: MS RPCSS Attack CVE-2004-0116 2   USER-ID user-PC Default 1 8/1/2012 11:12:58 AM 8/1/2012 11:12:58 AM [SID: 20386] OS Attack: MS RPCSS Attack CVE-2004-0116 2 attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE

Any help in resolving this would be appreciated.

Comments 2 CommentsJump to latest comment

kimberlyw's picture

Have you ran a scan with the latest definiitons?

Run support tool and run power eraser. if it does not find anything and you ran a scan with the latest definitions then run the support tool and provide it to support. Provide a full data grab.

Download the support tool and run the symantec PowerEraser.

http://www.symantec.com/business/support/index?page=content&id=TECH105414

 
OS Attack: MS RPCSS Attack CVE-2004-0116 2

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20386

.Brian's picture

Looks like a worm trying to infect your system by exploiting an old vulnerability. Windows 7 is not affected by the vulnerability as it is pretty old.

The IPS is doing its job by blocking the attempt. You said you are patched so you should be fine.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION