Endpoint Protection

Hello,

Check this Thread:

https://www-secure.symantec.com/connect/forums/121-heuristic-scan-and-svchostexe

Hope that helps!!

Hello,

Is there a SID referenced?

For example: [SID: 20386] MS RPCSS Attack (2) detected. Traffic has been blocked from this application: C:\WINDOWS\system32\svchost.exe

You can then use it to lookup what signature is being tripped. To do this login to SEPM and go to Policies ---> under View Policies, select your Intrusion Prevention policy and double-click it. Select Exceptions ---> Click Add and from here you will see all the current signatures. You should be able to locate the correct SID and find out more about what is going on.

You can check the logs. Go to Monitors ---> Logs ---> Network Threat Protection for the log type and Attacks for the log content. You can search by the computer name / IP by going into the Advanced Settings to get more granular.

You can also turn these notifications off so users don't see them. Go to Clients ---> Policies tab ---> click the "+" next to Location-specific Settings to expand and select Tasks ---> Edit Settings ---> select Customize for whatever control you have it set to and uncheck Display Intrusion Prevention notifications

no, didn't see any        

Hi,

From SEPM console you can disable notifications.

Screenshot is attached for your reference.

Hello,

You can turn these notifications off so users don't see them.

Go to Clients ---> Policies tab ---> click the "+" next to Location-specific Settings to expand and select Tasks ---> Edit Settings ---> select Customize for whatever control you have it set to and uncheck Display Intrusion Prevention notifications.

both of these setting are already are uncheck but they are still getting these pop up

i've also find out that mainly windows 7 are getting these notification.

seem that the issue were in my firewall setting. change it and waiting for the result :P

I have notifications turned off, but we see a ton of these on our network in our logs. I think it's just windows peer to peer networking chatter on the line. I'm not a protocol expert, though. In your case looks like IPV6 related. Would be helpful to know exactly what this traffic is, though.

with the log information, i've gone to SEPM, policies>under firewall view your firewall settings, then i've uncheck Block Web Services Discovery from external computers as per information on my logs and voila...

03/10/2011 15:02:31 Blocked 10 Incoming UDP FE80:0:0:0:4D84:F662:255A:8973 00-24-21-3F-66-0B 59151 FF02:0:0:0:0:0:0:C 33-33-00-00-00-0C 3702 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 2 03/10/2011 15:02:20 03/10/2011 15:02:20 Block Web Services Discovery from external computers

the question is, what will be the risk of unchecking this