Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

svchost pop up

Created: 03 Oct 2011 • Updated: 05 Oct 2011 | 10 comments
This issue has been solved. See solution.

 

every 5 min, a pop on clients SEP shows that its blocking svchost.

i have SEP 12

is there a way to stop these pop up?

Comments 10 CommentsJump to latest comment

Mithun Sanghavi's picture

 

Hello,

Check this Thread:

https://www-secure.symantec.com/connect/forums/121-heuristic-scan-and-svchostexe

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

tonks2907's picture

 

03/10/2011 15:02:31 Blocked 10 Incoming UDP FE80:0:0:0:4D84:F662:255A:8973 00-24-21-3F-66-0B 59151 FF02:0:0:0:0:0:0:C 33-33-00-00-00-0C 3702 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 2 03/10/2011 15:02:20 03/10/2011 15:02:20 Block Web Services Discovery from external computers
 
it seem to not to be related to mine :S
HELP
Mithun Sanghavi's picture

Hello,

 

Is there a SID referenced?

For example: [SID: 20386] MS RPCSS Attack (2) detected. Traffic has been blocked from this application: C:\WINDOWS\system32\svchost.exe

You can then use it to lookup what signature is being tripped. To do this login to SEPM and go to Policies ---> under View Policies, select your Intrusion Prevention policy and double-click it. Select Exceptions ---> Click Add and from here you will see all the current signatures. You should be able to locate the correct SID and find out more about what is going on.

You can check the logs. Go to Monitors ---> Logs ---> Network Threat Protection for the log type and Attacks for the log content. You can search by the computer name / IP by going into the Advanced Settings to get more granular.

You can also turn these notifications off so users don't see them. Go to Clients ---> Policies tab ---> click the "+" next to Location-specific Settings to expand and select Tasks ---> Edit Settings ---> select Customize for whatever control you have it set to and uncheck Display Intrusion Prevention notifications

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi,

From SEPM console you can disable notifications.

Screenshot is attached for your reference.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mithun Sanghavi's picture

Hello,

You can turn these notifications off so users don't see them.

Go to Clients ---> Policies tab ---> click the "+" next to Location-specific Settings to expand and select Tasks ---> Edit Settings ---> select Customize for whatever control you have it set to and uncheck Display Intrusion Prevention notifications.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

tonks2907's picture

both of these setting are already are uncheck but they are still getting these pop up

 

i've also find out that mainly windows 7 are getting these notification.

tonks2907's picture

seem that the issue were in my firewall setting. change it and waiting for the result :P

CaryC's picture

I have notifications turned off, but we see a ton of these on our network in our logs. I think it's just windows peer to peer networking chatter on the line. I'm not a protocol expert, though. In your case looks like IPV6 related. Would be helpful to know exactly what this traffic is, though.

tonks2907's picture

with the log information, i've gone to SEPM, policies>under firewall view your firewall settings, then i've uncheck Block Web Services Discovery from external computers as per information on my logs and voila...

03/10/2011 15:02:31 Blocked 10 Incoming UDP FE80:0:0:0:4D84:F662:255A:8973 00-24-21-3F-66-0B 59151 FF02:0:0:0:0:0:0:C 33-33-00-00-00-0C 3702 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 2 03/10/2011 15:02:20 03/10/2011 15:02:20 Block Web Services Discovery from external computers

the question is, what will be the risk of unchecking this

SOLUTION