Endpoint Protection

We have seen one Vista computer have hundreds of false-positive this morning associated with this update from yesterday.  The specific event description is:

    [SID: 20628] MSRPC Mutiple Headers detected. Traffic has been allowed from this application: C:\WINDOWS\system32\ntoskrnl.exe

The remote host is Windows Server 2003 R2 x64, which is printer server for us.  Our other Vista (~10) computers don't have this problem and neither does our Windows XP SP3 (~300) computers.  I would rather not create a firewall exception for MSRPC Multiple Headers threat (http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=20628), which would leave our clients valuable to this type of attack which has been suggested in a different post (http://www.symantec.com/connect/forums/sid-20628-msrpc-mutiple-headers-detected).  I would like to see Symantec fix the problem with their recent update.

Hi Scott, you will need to open a case with support so that they can collect the appropriate information to fix your issue

Best,
Thomas

 Hi this is IPS false Positive because of the last night def updates.  This will be fixed in the next update for the time you can follow the below workaround.

https://www-secure.symantec.com/connect/forums/sid-20628-msrpc-mutiple-headers-detected

Thanks.  Do you have an ETA when a new IPS will be released?

Scott,

 I would suggeste you to contact Tech support so that they can collect needed data & fix this issue as soon as possible.

Thanks 

Unfortunately I don’t have 1-2 hours to wait on hold (average wait time for past few months); I am just too busy with higher priority projects at work right now (I might have time sometime next week).  How about just rolling back the faulty IPS definitions to the previous versions?  How can this be done?

I very strongly believe the problem is with the IPS definitions dated 2009-10-20 rev.001, so I followed the instructions for Document ID 2007111515160948 (http://service1.symantec.com/support/ent-security.nsf/docid/2007111515160948), but it isn’t rolling back the IPS definitions on the clients.  I checked Admin>Local Site>Show LiveUpdate Downloads, but it doesn’t list the rolled backed IPS definitions I selected.  Am I missing anything?  Is there any other way to rollback the faultily IPS definitions.

After waiting nearly an hour and the IPS definitions to rollback on the clients and nothing, I manually ran LiveUpdate on the SEPM.  After LiveUpdate completed the clients started rolling backup their IPS definitions.

Solved :

Check this Thread
https://www-secure.symantec.com/connect/forums/sid-20628-msrpc-mutiple-headers-detected

The IPS definitions dated 2009-10-26 rev.018 resolves the false-positive for [SID: 20628] MSRPC Mutiple Headers detected, but now has false-positives for [SID: 21960] MSRPC Spooler GetPrinterData DoS detected. Now it appears to affect Windows computers that aren’t joined to our domain that are trying to connect to our Windows Server 2003 R2 x64 printer server. When will Symantec get this correct without introducing new false positives?