svchost.exe traffic has been blocked by SEP Netowork Threat Protection
https://www-secure.symantec.com/connect/forums/tra...
I have been having a problem with my SEP Threat Detection. It seems that every 4 minutes I receive a notification from SEP that it has blocked svchost.exe.
This is a clean computer, I have scanned with antivirus software and antimalware software since this has happened. The problem arose when I decided to switch from Avast antivirus software to SEP as my school has allowed me to download the latest version of it.
I have a Windows 7 Pro, SEP version 12.1.1000.157 RU1.
The pop up notifications are annoying, and I know I dont have a virus. So I consulted https://www-secure.symantec.com/connect/forums/tra... They told me to disable ip6. I did. It seems like my problems are coming from IP4 as you can see by my threat log:
12/30/2012 8:37:56 AM Blocked 3 Outgoing UDP 239.255.255.250 01-00-5E-7F-FF-FA 1900 192.168.0.143 00-10-18-EA-74-75 1900 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 18 12/30/2012 8:36:54 AM 12/30/2012 8:37:00 AM Block UPnP Discovery
12/30/2012 8:37:00 AM Allowed 3 Incoming UDP 0.0.0.0 78-A3-E4-11-C5-87 68 255.255.255.255 FF-FF-FF-FF-FF-FF 67 Admin Argh0812 Default 1 12/30/2012 8:35:59 AM 12/30/2012 8:35:59 AM Allow BOOTP protocol
12/30/2012 8:37:00 AM Allowed 3 Incoming UDP 192.168.0.1 00-1B-11-56-C2-35 67 255.255.255.255 FF-FF-FF-FF-FF-FF 68 Admin Argh0812 Default 1 12/30/2012 8:35:59 AM 12/30/2012 8:35:59 AM Allow BOOTP protocol
12/30/2012 8:36:49 AM Allowed 3 Outgoing IP 239.255.255.250 01-00-5E-7F-FF-FA NA 192.168.0.143 00-10-18-EA-74-75 NA Admin Argh0812 Default 1 12/30/2012 8:35:48 AM 12/30/2012 8:35:48 AM Allow IGMP traffic
12/30/2012 8:36:49 AM Allowed 3 Outgoing IP 224.0.0.251 01-00-5E-00-00-FB NA 192.168.0.143 00-10-18-EA-74-75 NA Admin Argh0812 Default 1 12/30/2012 8:35:48 AM 12/30/2012 8:35:48 AM Allow IGMP traffic
12/30/2012 8:36:43 AM Allowed 3 Outgoing IP 224.0.0.252 01-00-5E-00-00-FC NA 192.168.0.143 00-10-18-EA-74-75 NA Admin Argh0812 Default 1 12/30/2012 8:35:42 AM 12/30/2012 8:35:42 AM Allow IGMP traffic
12/30/2012 8:36:43 AM Allowed 3 Incoming IP 192.168.0.1 00-1B-11-56-C2-35 NA 224.0.0.1 01-00-5E-00-00-01 NA Admin Argh0812 Default 1 12/30/2012 8:35:42 AM 12/30/2012 8:35:42 AM Allow IGMP traffic
12/30/2012 8:35:09 AM Allowed 3 Incoming UDP 192.168.0.1 00-1B-11-56-C2-35 1900 239.255.255.250 01-00-5E-7F-FF-FA 1900 Admin Argh0812 Default 42 12/30/2012 8:34:07 AM 12/30/2012 8:34:13 AM Allow UPnP Discovery from private IP addresses
12/30/2012 8:34:41 AM Allowed 3 Outgoing IP 239.255.255.250 01-00-5E-7F-FF-FA NA 192.168.0.143 00-10-18-EA-74-75 NA Admin Argh0812 Default 1 12/30/2012 8:33:39 AM 12/30/2012 8:33:39 AM Allow IGMP traffic
12/30/2012 8:34:41 AM Allowed 3 Incoming IP 192.168.0.102 A4-EE-57-4E-D4-A6 NA 224.0.0.252 01-00-5E-00-00-FC NA Admin Argh0812 Default 1 12/30/2012 8:33:39 AM 12/30/2012 8:33:39 AM Allow IGMP traffic
12/30/2012 8:34:35 AM Allowed 3 Outgoing IP 224.0.0.251 01-00-5E-00-00-FB NA 192.168.0.143 00-10-18-EA-74-75 NA Admin Argh0812 Default 1 12/30/2012 8:33:34 AM 12/30/2012 8:33:34 AM Allow IGMP traffic
12/30/2012 8:34:35 AM Allowed 3 Incoming IP 192.168.0.1 00-1B-11-56-C2-35 NA 224.0.0.1 01-00-5E-00-00-01 NA Admin Argh0812 Default 1 12/30/2012 8:33:34 AM 12/30/2012 8:33:34 AM Allow IGMP traffic
12/30/2012 8:32:38 AM Allowed 3 Outgoing IP 224.0.0.252 01-00-5E-00-00-FC NA 192.168.0.143 00-10-18-EA-74-75 NA Admin Argh0812 Default 1 12/30/2012 8:31:37 AM 12/30/2012 8:31:37 AM Allow IGMP traffic
12/30/2012 8:32:38 AM Allowed 3 Outgoing IP 239.255.255.250 01-00-5E-7F-FF-FA NA 192.168.0.143 00-10-18-EA-74-75 NA Admin Argh0812 Default 1 12/30/2012 8:31:37 AM 12/30/2012 8:31:37 AM Allow IGMP traffic
12/30/2012 8:32:33 AM Allowed 3 Incoming IP 192.168.0.122 68-A8-6D-B7-37-A9 NA 224.0.0.251 01-00-5E-00-00-FB NA Admin Argh0812 Default 1 12/30/2012 8:31:31 AM 12/30/2012 8:31:31 AM Allow IGMP traffic
12/30/2012 8:32:33 AM Allowed 3 Incoming IP 192.168.0.102 A4-EE-57-4E-D4-A6 NA 224.0.0.251 01-00-5E-00-00-FB NA Admin Argh0812 Default 1 12/30/2012 8:31:31 AM 12/30/2012 8:31:31 AM Allow IGMP traffic
12/30/2012 8:32:33 AM Allowed 3 Incoming IP 192.168.0.1 00-1B-11-56-C2-35 NA 224.0.0.1 01-00-5E-00-00-01 NA Admin Argh0812 Default 1 12/30/2012 8:31:31 AM 12/30/2012 8:31:31 AM Allow IGMP traffic
12/30/2012 8:30:36 AM Allowed 3 Incoming UDP 192.168.0.148 00-17-A4-6F-1A-F0 1900 239.255.255.250 01-00-5E-7F-FF-FA 1900 Admin Argh0812 Default 10 12/30/2012 8:29:34 AM 12/30/2012 8:29:34 AM Allow UPnP Discovery from private IP addresses
12/30/2012 8:30:36 AM Allowed 3 Incoming IP 192.168.0.102 A4-EE-57-4E-D4-A6 NA 224.0.0.252 01-00-5E-00-00-FC NA Admin Argh0812 Default 1 12/30/2012 8:29:34 AM 12/30/2012 8:29:34 AM Allow IGMP traffic
12/30/2012 8:30:30 AM Allowed 3 Incoming TCP 192.168.0.1 00-1B-11-56-C2-35 28983 192.168.0.143 00-10-18-EA-74-75 2869 C:\Windows\system32\NTOSKRNL.EXE Admin Argh0812 Default 1 12/30/2012 8:29:29 AM 12/30/2012 8:29:29 AM Allow SSDP from private IP addresses
12/30/2012 8:30:30 AM Allowed 3 Incoming IP 192.168.0.146 00-25-00-3A-C8-2E NA 224.0.0.251 01-00-5E-00-00-FB NA Admin Argh0812 Default 1 12/30/2012 8:29:29 AM 12/30/2012 8:29:29 AM Allow IGMP traffic
12/30/2012 8:30:30 AM Blocked 3 Outgoing UDP 239.255.255.250 01-00-5E-7F-FF-FA 1900 192.168.0.143 00-10-18-EA-74-75 1900 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 18 12/30/2012 8:29:29 AM 12/30/2012 8:29:34 AM Block UPnP Discovery
12/30/2012 8:30:30 AM Allowed 3 Outgoing IP 224.0.0.22 01-00-5E-00-00-16 NA 192.168.0.143 00-10-18-EA-74-75 NA Admin Argh0812 Default 12 12/30/2012 8:29:29 AM 12/30/2012 8:29:29 AM Allow IGMP traffic
Please help me find a resolution ASAP! Thank you so much for your time. I am brand new to Nortion, so please go into descriptions if you find a solution. Thank you!
Is this an unmanaged client?
Is this an unmanaged client? It sounds like it is.
12/30/2012 8:37:56 AM Blocked 3 Outgoing UDP 239.255.255.250 01-00-5E-7F-FF-FA 1900 192.168.0.143 00-10-18-EA-74-75 1900 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 18 12/30/2012 8:36:54 AM 12/30/2012 8:37:00 AM Block UPnP Discovery
It's legitimate traffic that is being blocked by the Block UPnP Discovery rule
Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functionalnetwork services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise class devices.
You can allow it by opening the SEP GUI and under Network Threat Protection click Options >> Configure Firewall Rules
Select the Block UPnP Discovery and hit Edit
Under Action, select Allow this traffic and click OK
You should not see the message for this rule any more.
You can disable the notifications completely by going to NTP >> Options >> Configure Settings and on the Notification tab, select the option to not show messages. However, this will disable the message for all rules and is not really recommended. But if you do, you would need to keep a closer eye on your logs.
Comments
there should be rule for the
there should be rule for the "Block UPnP Discovery" , you need to change it. do you have any issue with teh operations, if not then let the rule be as it is.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Is this an unmanaged client?
Is this an unmanaged client? It sounds like it is.
12/30/2012 8:37:56 AM Blocked 3 Outgoing UDP 239.255.255.250 01-00-5E-7F-FF-FA 1900 192.168.0.143 00-10-18-EA-74-75 1900 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 18 12/30/2012 8:36:54 AM 12/30/2012 8:37:00 AM Block UPnP Discovery
It's legitimate traffic that is being blocked by the Block UPnP Discovery rule
Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functionalnetwork services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise class devices.
You can allow it by opening the SEP GUI and under Network Threat Protection click Options >> Configure Firewall Rules
Select the Block UPnP Discovery and hit Edit
Under Action, select Allow this traffic and click OK
You should not see the message for this rule any more.
You can disable the notifications completely by going to NTP >> Options >> Configure Settings and on the Notification tab, select the option to not show messages. However, this will disable the message for all rules and is not really recommended. But if you do, you would need to keep a closer eye on your logs.
SEP Knowledge Base
Endpoint SWAT
Brian: What do you mean by
Brian: What do you mean by unmanaged client? I am on a home LAN.
I cannot find that option to Configure Firewall Rules.
It means the SEP client is
It means the SEP client is not managed by a SEPM. If you're on a home LAN it is likely unmanaged.
When you open the SEP GUI, click on options next to Network Threat Protection. You should see "Configure Firewall Rules" as one of the options.
SEP Knowledge Base
Endpoint SWAT
Brian, I do not see that as
Brian, I do not see that as an option. Here is what I see:
Oops, I was looking in the
Oops, I was looking in the wrong section. Idiot me. I will let you know if it keeps on popping up. I will just have to wait to see. Thanks.
12/30/2012 8:28:49 PM
12/30/2012 8:28:49 PM Allowed 3 Incoming IP 192.168.0.108 00-24-2B-79-19-06 NA 224.0.0.251 01-00-5E-00-00-FB NA Admin Argh0812 Default 1 12/30/2012 8:28:12 PM 12/30/2012 8:28:12 PM Allow IGMP traffic
12/30/2012 8:28:49 PM Allowed 3 Incoming IP 192.168.0.102 A4-EE-57-4E-D4-A6 NA 224.0.0.252 01-00-5E-00-00-FC NA Admin Argh0812 Default 1 12/30/2012 8:28:12 PM 12/30/2012 8:28:12 PM Allow IGMP traffic
12/30/2012 8:28:49 PM Allowed 3 Incoming IP 192.168.0.108 00-24-2B-79-19-06 NA 239.255.255.250 01-00-5E-7F-FF-FA NA Admin Argh0812 Default 1 12/30/2012 8:28:12 PM 12/30/2012 8:28:12 PM Allow IGMP traffic
12/30/2012 8:28:49 PM Allowed 3 Incoming IP 192.168.0.1 00-1B-11-56-C2-35 NA 224.0.0.1 01-00-5E-00-00-01 NA Admin Argh0812 Default 1 12/30/2012 8:28:12 PM 12/30/2012 8:28:12 PM Allow IGMP traffic
12/30/2012 8:28:37 PM Blocked 3 Outgoing UDP FF02:0:0:0:0:0:1:2 33-33-00-01-00-02 547 FE80:0:0:0:1454:AB16:74EC:CAD2 00-10-18-EA-74-75 546 Admin Argh0812 Default 1 12/30/2012 8:27:36 PM 12/30/2012 8:27:36 PM Block IPv6 (Ethernet type 0x86dd)
12/30/2012 8:28:32 PM Blocked 3 Outgoing UDP FF02:0:0:0:0:0:0:C 33-33-00-00-00-0C 1900 FE80:0:0:0:1454:AB16:74EC:CAD2 00-10-18-EA-74-75 1900 Admin Argh0812 Default 18 12/30/2012 8:27:31 PM 12/30/2012 8:27:41 PM Block IPv6 (Ethernet type 0x86dd)
12/30/2012 8:28:32 PM Allowed 3 Outgoing UDP 239.255.255.250 01-00-5E-7F-FF-FA 1900 192.168.0.143 00-10-18-EA-74-75 1900 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 18 12/30/2012 8:27:31 PM 12/30/2012 8:27:41 PM Block UPnP Discovery
12/30/2012 8:27:51 PM Allowed 3 Incoming TCP 192.168.0.1 00-1B-11-56-C2-35 29069 192.168.0.143 00-10-18-EA-74-75 2869 C:\Windows\system32\NTOSKRNL.EXE Admin Argh0812 Default 1 12/30/2012 8:26:50 PM 12/30/2012 8:26:50 PM Allow SSDP from private IP addresses
12/30/2012 8:27:51 PM Allowed 3 Incoming TCP 192.168.0.1 00-1B-11-56-C2-35 29068 192.168.0.143 00-10-18-EA-74-75 2869 C:\Windows\system32\NTOSKRNL.EXE Admin Argh0812 Default 1 12/30/2012 8:26:50 PM 12/30/2012 8:26:50 PM Allow SSDP from private IP addresses
12/30/2012 8:27:51 PM Allowed 3 Incoming TCP 192.168.0.1 00-1B-11-56-C2-35 29067 192.168.0.143 00-10-18-EA-74-75 2869 C:\Windows\system32\NTOSKRNL.EXE Admin Argh0812 Default 1 12/30/2012 8:26:50 PM 12/30/2012 8:26:50 PM Allow SSDP from private IP addresses
12/30/2012 8:27:36 PM Blocked 3 Outgoing UDP FF02:0:0:0:0:0:1:2 33-33-00-01-00-02 547 FE80:0:0:0:1454:AB16:74EC:CAD2 00-10-18-EA-74-75 546 Admin Argh0812 Default 6 12/30/2012 8:26:35 PM 12/30/2012 8:27:05 PM Block IPv6 (Ethernet type 0x86dd)
12/30/2012 8:27:11 PM Allowed 3 Outgoing IP 224.0.0.251 01-00-5E-00-00-FB NA 192.168.0.143 00-10-18-EA-74-75 NA Admin Argh0812 Default 1 12/30/2012 8:26:09 PM 12/30/2012 8:26:09 PM Allow IGMP traffic
12/30/2012 8:28:37 PM
12/30/2012 8:28:37 PM Blocked 3 Outgoing UDP FF02:0:0:0:0:0:1:2 33-33-00-01-00-02 547 FE80:0:0:0:1454:AB16:74EC:CAD2 00-10-18-EA-74-75 546 Admin Argh0812 Default 1 12/30/2012 8:27:36 PM 12/30/2012 8:27:36 PM Block IPv6 (Ethernet type 0x86dd)
The "Block IPv6" rule is being triggered. You can either chose to allow it (no notification) or keep blocking it (continued notification) but it's your choice.
Or you can choose to disable alerts altogether.
SEP Knowledge Base
Endpoint SWAT
HI, Check this
HI,
Check this thread
https://www-secure.symantec.com/connect/forums/constant-notification-traffic-has-been-blocked-application-svchostexe
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Ok, thank you Brian and
Ok, thank you Brian and Ashish. Everything seems to be working smoothly (no notifications even thought I didn't disable them). I am not getting any pop-ups anymore by disabling the block ipv6 rule and the blocking PnP. Thanks again.
Would you like to reply?
Login or Register to post your comment.