Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SVChost. exe

Created: 08 Jun 2013 | 7 comments

Hi

We have SEP SBE 12.1.2 recently installed in sever windows 2008 r2 and 3 endpoitns (windows 7, 32bit and 64 bit).

SEP blocks (or tries) some svchost.exe executions, but I can not tell which svchost.exe it is,

the moment SEP does the blocking.

How can I see the blocked svchost.exe, which can be a windows system executable

and how do I configure the SEP ?

I had problems with the SEP installation (everything ok) and problems with our main application that interfaces with fax, emails etc.

They were solved by allowing ip traffic in the firewall setting, at the end.

 

Operating Systems:

Comments 7 CommentsJump to latest comment

W007's picture

hello,

Try this

https://www-secure.symantec.com/connect/forums/con...

Check this discussion

https://www-secure.symantec.com/connect/forums/svc...

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

Do you have both IPS and firewall installed?

You should be able to see in either the Security or Traffic log as to which is being blocked.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

panagiotis's picture

ok I will check on this.

one question : is IPS better than the firewall action ?

 

Mithun Sanghavi's picture

Hello,

Check this Article:

Traffic has been blocked for the application host process for Windows Services Svchost.exe

http://www.symantec.com/docs/TECH165942

and these Threads:

https://www-secure.symantec.com/connect/forums/constant-notification-traffic-has-been-blocked-application-svchostexe

https://www-secure.symantec.com/connect/forums/traffic-has-been-blocked-svchostexe-0

Secondly, to answer your question, "is IPS better than the firewall action"

If IPS is installed without the Firewall, it is not possible to automatically block the IP address of an attacker for a certain amount of time, because the temporary block rule is part of the Firewall component. In this case, the IPS component will continue to log each attack separately.

Check these Articles:

Can the IPS component be installed independently from the Firewall component in Symantec Endpoint Protection 12.1?

http://www.symantec.com/docs/TECH162232

Default Symantec Endpoint Protection 12.1 RU1 Firewall Policy explanation

http://www.symantec.com/docs/TECH180569

Best practices regarding Intrusion Prevention System technology

http://www.symantec.com/docs/TECH95347

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

panagiotis's picture

Thanks very much for all the answers. Trully.

In order to get around this, I got the log file (.txt) and saw some SEP blocks.

Can you please help on interpreting the below (for example)

2000    07/06/2013 12:43:24    Blocked    3    Incoming    UDP    FE80:0:0:0:A0C8:1AC2:9D67:19F7    50-E5-49-39-3E-86    53646    FF02:0:0:0:0:0:0:C    33-33-00-00-00-0C    3702        Xristina    GRAMMATEIA    Default    2    07/06/2013 12:42:23    07/06/2013 12:42:23    Block Web Services Discovery    
2001    07/06/2013 12:43:29    Blocked    3    Incoming    UDP    FE80:0:0:0:A0C8:1AC2:9D67:19F7    50-E5-49-39-3E-86    57122    FF02:0:0:0:0:0:0:C    33-33-00-00-00-0C    1900        Xristina    GRAMMATEIA    Default    5    07/06/2013 12:42:23    07/06/2013 12:42:29    Block UPnP Discovery  

or

2006    07/06/2013 12:44:40    Blocked    3    Outgoing    ETHERNET [type=0x0]    FE80:0:0:0:CDCE:1106:DA45:B0D6    50-E5-49-39-3E-78    0    FE80:0:0:0:159C:7AED:9C73:5CCD    50-E5-49-39-3E-21    0        Xristina    GRAMMATEIA    Default    1    07/06/2013 12:43:40    07/06/2013 12:43:40    Block ICMPv6  

I am not sure if I must give more  info in public cause I am unaware of the subject.

YES IPS is on and firewall. But I do allow ip traffic in firewall. Is it meant as LAN traffic ?

thanks very much.

 

 

 

 

Mithun Sanghavi's picture

Hello,

Check these Threads with similar Issue:

https://www-secure.symantec.com/connect/forums/svchostexe-traffic-has-been-blocked-sep-netowork-threat-protection

https://www-secure.symantec.com/connect/forums/svchostexe-traffic-being-blocked

https://www-secure.symantec.com/connect/forums/svchost-pop

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Rafeeq's picture

Try this document

Traffic has been blocked for the application host process for Windows Services Svchost.exe