Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

[SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked. Traffic has been blocked for this application: SYSTEM

Created: 03 Sep 2013 • Updated: 05 Sep 2013 | 5 comments
This issue has been solved. See solution.

Hi,

 

All the clients are installed with 12.1 and are running windows XP SP3 which included the vulnerability patch for windows, why am i still getting the popup and how can i prevent it from happening.

 

Comments 5 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Take a close look at the Traffic logs, where you see these alerts...if the IP address(es) are external, there's not much you can do...the nature of the internet is to allow unsolicited attempts for communication.

If the communications are coming from external sources, you can certainly block those IP addresses at the perimeter firewall, and other things such as leveraging intrusion prevention (assuming you've got that, or it's part of the perimeter firewall).

If the attacks are coming from WITHIN your network, you'll need to do some seluthing to get to the bottom of what's actually attacking and deal with it.  My gut, however, leads me to believe that your logs show external IP addresses.

Script kiddies out there are constantly running programs that will try to use exploits on machines...odds are low that you're specifically being targeted.

If the IP addresses in the logs are external to your network, the only way you can completely block the alerts is to configure your perimeter firewall to not allow incoming external traffic to this machine...which, I suspect, would completely negate the usefulness of the server itself.

Also, Please check the Symantec Article below and get assisted.

OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability

http://www.securityfocus.com/bid/31874/solution

You may be also interested to have a look at this Thread: 

https://www-secure.symantec.com/connect/forums/multiple-attacks-showing-sepm

Hope that helps you to upload all the updates on the system.!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

If you check the Attack logs, you should be able to see what the remote system that is doing the attacking.

You need to remove it from the network and make sure it is patched and clean.

Locate the remote machine first.

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Hi Jeshrel,

All the clients are installed with 12.1 and are running windows XP SP3 which included the vulnerability patch for windows, why am i still getting the popup and how can i prevent it from happening. 

SEP's IPS component does not enumerate a computer's patches and compare the incoming attack traffic with what the machine is already patched against.  If the IPS sees traffic that matches its attack signatures, it will react.  You are doubly-protected with IPS in place and have applied that patch that made your machiens invulnerable.  &: )

Admins can create exclusions so that IPS is not triggered on certain traffic.  I am always reluctant to recommend this- there are always a few unpatched machines in a corner somewhere- but if you really wish, you can modify how SEP reacts to that signature.

How to add an exception for Intrusion Prevention Policy to allow a specific ID through Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH97176 
 

Hope this helps!

Mick  

With thanks and best regards,

Mick