Thanks for the information.  We only have a couple of Vista clients, but we do have a fair number (probably 40% or more) that are XP SP3.  I've just changed this policy in our test group, and will roll it out to the rest if it pans out.

We have seen one Vista computer have hundreds of false-positive this morning associated with this update from yesterday.  The specific event description is:

    [SID: 20628] MSRPC Mutiple Headers detected. Traffic has been allowed from this application: C:\WINDOWS\system32\ntoskrnl.exe

The remote host is Windows Server 2003 R2 x64, which is printer server for us.  Our other Vista (~10) computers don't have this problem and neither does our Windows XP SP3 (~300) computers.  I would rather not create a firewall exception for MSRPC Multiple Headers threat (http://www.symantec.com/business/security_response...), which would leave our clients valuable to this type of attack.  I would like to see Symantec fix the problem with their recent update.

 This is a known IPS false positive..
 Follow the above workaround this will fix later on.

I have a workstation with XP Sp2 that is getting this error. I also get the error above on multiple workstations, but sometimes it says svchost.exe instead of ntoskrnl.exe

[SID: 20628] MSRPC Mutiple Headers detected. Traffic has been allowed from this application: C:\WINDOWS\system32\svchost.exe

I agree with Scott.  Is allowing this a good idea? I know you say "Follow the above workaround this will fix later on", but when? If you are going to fix it soon, I would rather live with the alert than be more vulnerable. As Scott pointed out, Symantecs info on this IPS event looks pretty serious (my favorite is the last line, but I will give Symantec a break since it seemed to just come out):
MSRPC Mutiple Headers

I don't think this should be credited as a solution just yet. Maybe a workaround, but no solution was given.

You can contact Symantec Tech support. So that they can collect the needed data & resolve this issue as soon as possible. 

The problem lies with IPS definitions dated 2009-10-20 rev.001.  My simple workaround was to rollback to pervious IPS definitions by following the instructions I found at http://service1.symantec.com/support/ent-security.... (note: these instructions don’t match MR5 SEPM interface, but were close enough for me to follow).  I also needed to manually run LiveUpdate on SEPM for the clients to get the rolled backed IPS definitions.

I agree with Senrats that the firewall exception suggestion by Happytohelp is only a temporary workaround and not a solution.  Also I don’t have the time to help Symantec troubleshoot their own faultily definitions and they should do better testing before releasing definitions.

>[SID: 20628] MSRPC Mutiple Headers detected. Traffic...

"Mutiple" ???  where is gone the "L" :)))   Maybe will come as well in next IPS release?

I didn't even catch that! 

I am still seeing this problem with some of my clients. Has the FIXED IPS DEFINITIONS been released or not? Any clarity on this.

@Amrut: 

Yes, should be solved now with:

Security Update 221 - for Symantec Client Security
Security Update 121 - for Symantec Endpoint Security

See: http://www.symantec.com/business/security_response...

for updates.

--cheers

Luca

The IPS definitions dated 2009-10-26 rev.018 resolves the false-positive for [SID: 20628] MSRPC Mutiple Headers detected, but now has false-positives for [SID: 21960] MSRPC Spooler GetPrinterData DoS detected. Now it appears to affect client Windows computers that aren't joined to our domain when connecting to our Windows Server 2003 R2 x64 printer server. When will Symantec get this correct?