[SID: 20628] MSRPC Mutiple Headers detected – False Positives with new updates
We have seen one Vista computer have hundreds of false-positive this morning associated with this update from yesterday. The specific event description is:
[SID: 20628] MSRPC Mutiple Headers detected. Traffic has been allowed from this application: C:\WINDOWS\system32\ntoskrnl.exe
The remote host is Windows Server 2003 R2 x64, which is printer server for us. Our other Vista (~10) computers don't have this problem and neither does our Windows XP SP3 (~300) computers. I would rather not create a firewall exception for MSRPC Multiple Headers threat (http://www.symantec.com/business/security_response...), which would leave our clients valuable to this type of attack which has been suggested in a different post (http://www.symantec.com/connect/forums/sid-20628-m...). I would like to see Symantec fix the problem with their recent update.
Hi Scott, you will need to
Hi Scott, you will need to open a case with support so that they can collect the appropriate information to fix your issue
Best,
Thomas
For SEP troubleshooting try downloading the Support Tool
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/200807170948...
SR recommendations for SEP settings
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/201002030859...
Hi this is IPS false
Hi this is IPS false Positive because of the last night def updates. This will be fixed in the next update for the time you can follow the below workaround.
https://www-secure.symantec.com/connect/forums/sid-20628-msrpc-mutiple-headers-detected
ETA for the updated IPS?
Thanks. Do you have an ETA when a new IPS will be released?
Scott, I would suggeste you
Scott,
I would suggeste you to contact Tech support so that they can collect needed data & fix this issue as soon as possible.
Thanks
How I can I roll back the faulty IPS definitions?
Unfortunately I don’t have 1-2 hours to wait on hold (average wait time for past few months); I am just too busy with higher priority projects at work right now (I might have time sometime next week). How about just rolling back the faulty IPS definitions to the previous versions? How can this be done?
IPS Definitions Not Rolling Back
I very strongly believe the problem is with the IPS definitions dated 2009-10-20 rev.001, so I followed the instructions for Document ID 2007111515160948 (http://service1.symantec.com/support/ent-security....), but it isn’t rolling back the IPS definitions on the clients. I checked Admin>Local Site>Show LiveUpdate Downloads, but it doesn’t list the rolled backed IPS definitions I selected. Am I missing anything? Is there any other way to rollback the faultily IPS definitions.
Manually ran LiveUpdate on SEPM
After waiting nearly an hour and the IPS definitions to rollback on the clients and nothing, I manually ran LiveUpdate on the SEPM. After LiveUpdate completed the clients started rolling backup their IPS definitions.
Solved : Check this
Solved :
Check this Thread
https://www-secure.symantec.com/connect/forums/sid-20628-msrpc-mutiple-headers-detected
Not Solved - New False Postives
The IPS definitions dated 2009-10-26 rev.018 resolves the false-positive for [SID: 20628] MSRPC Mutiple Headers detected, but now has false-positives for [SID: 21960] MSRPC Spooler GetPrinterData DoS detected. Now it appears to affect Windows computers that aren’t joined to our domain that are trying to connect to our Windows Server 2003 R2 x64 printer server. When will Symantec get this correct without introducing new false positives?
Would you like to reply?
Login or Register to post your comment.