Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

[SID: 21960] MSRPC Spooler GetPrinterData DoS detected.

Updated: 29 Jul 2010 | 8 comments
ianto's picture
ianto
+1 1 Vote
Login to vote

Hi,

I am getting this alert since the new release of the Symantec IPS definition dated 2009-10-20 rev.001.

I have attached the printscreen for reference. Can anyone help?

error.jpg

Thank you,

Ian

discussion Filed Under:
, ,

Comments

shp's picture
22
Oct
2009
1 Vote +1
Login to vote
shp

Check this...

Check this...

http://www.symantec.com/business/security_response...

http://www.kb.cert.org/vuls/id/914617
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=...

Update MS patches and do a full scan in safe mode on 192.168.19.203 pc.

Regards,
Srinivas H.P.
HCL Infosystems Ltd

jayan.c's picture
23
Oct
2009
0 Votes 0
Login to vote
jayan.c

This very useful tip shp

This very useful tip shp

tekkid's picture
27
Oct
2009
0 Votes 0
Login to vote
tekkid

We are gettting this now.  

We are gettting this now.   The remote host is our w2k3 corporate print server.   Both the computer and server are up2date with latest security patches and endpoint definitions.

Jill Jones's picture
16
Nov
2009
0 Votes 0
Login to vote
Jill Jones

Disable the proactive threat

Disable the proactive threat protection portion of SEP and restart your print spooler ont he client. Or exclude C:\Windows\system32\ntoskrnl.exe from the scan engine.

delifeath's picture
20
Jan
2010
0 Votes 0
Login to vote
delifeath

Same...

I'm getting this same blocking and logging.  It only happens maybe 1 out of 10 times a single user tries to print.  I could be wrong but it only appears to be happening on Windows 7 machines.  I opened a ticket yesterday but the only thing they could suggest was to create an exception for ntoskrnl.exe which I don't want to do.  This was after spending 10 minutes trying to explain what intrusion prevention is and helping them understand that intrusion prevention is soemthing built into SEP 11 and not third party software.  Has anyone else been seeing anything like this?  Thank you.

Jerry.Balch's picture
20
Jan
2010
0 Votes 0
Login to vote
Jerry.Balch

More of the same

I have tried to enable the exeption for the ntoskernel.exe to see if that temporarily stops the problem but that definitely isn't a solution for this issue. It is also only on windows 7 machines for our network too.

delifeath's picture
21
Jan
2010
0 Votes 0
Login to vote
delifeath

I'm glad I'm not the only one

I'm glad I'm not the only one having this problem.  I'm not really sure what the next step is here.  For whatever reason this most recent call in to Symantec was absolutely useless.  The worst "support" I've ever received.  Maybe because I made the mistake of saying it was low priority?  Any Symantec people know what I need to do to bring this to someones attention.  Maybe it's something specific to our network, but I'm sure others will be seeing it eventually.  Thank you.

Senrats's picture
25
Jan
2010
1 Vote +1
Login to vote
Senrats

Same...

I have a user with the same problem.

IBM Laptop
Local Printer - Canon iP4300
Windows 7

I created a special folder for this one user and added an exception to allow/log the "event"

Policies> Intrusion Prevention Policies> Exceptions> Add...

browse to exception ID 21960 (same as in the error).

This is not  a "FIX" but it makes it only allow one exception for one computer. I think this is better than the "Disable the proactive threat protection portion of SEP and restart your print spooler ont he client. Or exclude C:\Windows\system32\ntoskrnl.exe from the scan engine."

"Trust, but verify."

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,915