Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

svchost.exe traffic has been blocked by SEP Netowork Threat Protection

Created: 30 Dec 2012 • Updated: 30 Dec 2012 | 10 comments
This issue has been solved. See solution.

https://www-secure.symantec.com/connect/forums/tra...

I have been having a problem with my SEP Threat Detection.  It seems that every 4 minutes I receive a notification from SEP that it has blocked svchost.exe. 

This is a clean computer, I have scanned with antivirus software and antimalware software since this has happened.  The problem arose when I decided to switch from Avast antivirus software to SEP as my school has allowed me to download the latest version of it.

I have a Windows 7 Pro, SEP version 12.1.1000.157 RU1. 

The pop up notifications are annoying, and I know I dont have a virus.  So I consulted https://www-secure.symantec.com/connect/forums/tra... They told me to disable ip6.  I did.  It seems like my problems are coming from IP4 as you can see by my threat log:

12/30/2012 8:37:56 AM    Blocked    3    Outgoing    UDP    239.255.255.250    01-00-5E-7F-FF-FA    1900    192.168.0.143    00-10-18-EA-74-75    1900    C:\Windows\System32\svchost.exe    LOCAL SERVICE    NT AUTHORITY    Default    18    12/30/2012 8:36:54 AM    12/30/2012 8:37:00 AM    Block UPnP Discovery    
12/30/2012 8:37:00 AM    Allowed    3    Incoming    UDP    0.0.0.0    78-A3-E4-11-C5-87    68    255.255.255.255    FF-FF-FF-FF-FF-FF    67        Admin    Argh0812    Default    1    12/30/2012 8:35:59 AM    12/30/2012 8:35:59 AM    Allow BOOTP protocol    
12/30/2012 8:37:00 AM    Allowed    3    Incoming    UDP    192.168.0.1    00-1B-11-56-C2-35    67    255.255.255.255    FF-FF-FF-FF-FF-FF    68        Admin    Argh0812    Default    1    12/30/2012 8:35:59 AM    12/30/2012 8:35:59 AM    Allow BOOTP protocol    
12/30/2012 8:36:49 AM    Allowed    3    Outgoing    IP    239.255.255.250    01-00-5E-7F-FF-FA    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:35:48 AM    12/30/2012 8:35:48 AM    Allow IGMP traffic    
12/30/2012 8:36:49 AM    Allowed    3    Outgoing    IP    224.0.0.251    01-00-5E-00-00-FB    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:35:48 AM    12/30/2012 8:35:48 AM    Allow IGMP traffic    
12/30/2012 8:36:43 AM    Allowed    3    Outgoing    IP    224.0.0.252    01-00-5E-00-00-FC    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:35:42 AM    12/30/2012 8:35:42 AM    Allow IGMP traffic    
12/30/2012 8:36:43 AM    Allowed    3    Incoming    IP    192.168.0.1    00-1B-11-56-C2-35    NA    224.0.0.1    01-00-5E-00-00-01    NA        Admin    Argh0812    Default    1    12/30/2012 8:35:42 AM    12/30/2012 8:35:42 AM    Allow IGMP traffic    
12/30/2012 8:35:09 AM    Allowed    3    Incoming    UDP    192.168.0.1    00-1B-11-56-C2-35    1900    239.255.255.250    01-00-5E-7F-FF-FA    1900        Admin    Argh0812    Default    42    12/30/2012 8:34:07 AM    12/30/2012 8:34:13 AM    Allow UPnP Discovery from private IP addresses    
12/30/2012 8:34:41 AM    Allowed    3    Outgoing    IP    239.255.255.250    01-00-5E-7F-FF-FA    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:33:39 AM    12/30/2012 8:33:39 AM    Allow IGMP traffic    
12/30/2012 8:34:41 AM    Allowed    3    Incoming    IP    192.168.0.102    A4-EE-57-4E-D4-A6    NA    224.0.0.252    01-00-5E-00-00-FC    NA        Admin    Argh0812    Default    1    12/30/2012 8:33:39 AM    12/30/2012 8:33:39 AM    Allow IGMP traffic    
12/30/2012 8:34:35 AM    Allowed    3    Outgoing    IP    224.0.0.251    01-00-5E-00-00-FB    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:33:34 AM    12/30/2012 8:33:34 AM    Allow IGMP traffic    
12/30/2012 8:34:35 AM    Allowed    3    Incoming    IP    192.168.0.1    00-1B-11-56-C2-35    NA    224.0.0.1    01-00-5E-00-00-01    NA        Admin    Argh0812    Default    1    12/30/2012 8:33:34 AM    12/30/2012 8:33:34 AM    Allow IGMP traffic    
12/30/2012 8:32:38 AM    Allowed    3    Outgoing    IP    224.0.0.252    01-00-5E-00-00-FC    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:31:37 AM    12/30/2012 8:31:37 AM    Allow IGMP traffic    
12/30/2012 8:32:38 AM    Allowed    3    Outgoing    IP    239.255.255.250    01-00-5E-7F-FF-FA    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:31:37 AM    12/30/2012 8:31:37 AM    Allow IGMP traffic    
12/30/2012 8:32:33 AM    Allowed    3    Incoming    IP    192.168.0.122    68-A8-6D-B7-37-A9    NA    224.0.0.251    01-00-5E-00-00-FB    NA        Admin    Argh0812    Default    1    12/30/2012 8:31:31 AM    12/30/2012 8:31:31 AM    Allow IGMP traffic    
12/30/2012 8:32:33 AM    Allowed    3    Incoming    IP    192.168.0.102    A4-EE-57-4E-D4-A6    NA    224.0.0.251    01-00-5E-00-00-FB    NA        Admin    Argh0812    Default    1    12/30/2012 8:31:31 AM    12/30/2012 8:31:31 AM    Allow IGMP traffic    
12/30/2012 8:32:33 AM    Allowed    3    Incoming    IP    192.168.0.1    00-1B-11-56-C2-35    NA    224.0.0.1    01-00-5E-00-00-01    NA        Admin    Argh0812    Default    1    12/30/2012 8:31:31 AM    12/30/2012 8:31:31 AM    Allow IGMP traffic    
12/30/2012 8:30:36 AM    Allowed    3    Incoming    UDP    192.168.0.148    00-17-A4-6F-1A-F0    1900    239.255.255.250    01-00-5E-7F-FF-FA    1900        Admin    Argh0812    Default    10    12/30/2012 8:29:34 AM    12/30/2012 8:29:34 AM    Allow UPnP Discovery from private IP addresses    
12/30/2012 8:30:36 AM    Allowed    3    Incoming    IP    192.168.0.102    A4-EE-57-4E-D4-A6    NA    224.0.0.252    01-00-5E-00-00-FC    NA        Admin    Argh0812    Default    1    12/30/2012 8:29:34 AM    12/30/2012 8:29:34 AM    Allow IGMP traffic    
12/30/2012 8:30:30 AM    Allowed    3    Incoming    TCP    192.168.0.1    00-1B-11-56-C2-35    28983    192.168.0.143    00-10-18-EA-74-75    2869    C:\Windows\system32\NTOSKRNL.EXE    Admin    Argh0812    Default    1    12/30/2012 8:29:29 AM    12/30/2012 8:29:29 AM    Allow SSDP from private IP addresses    
12/30/2012 8:30:30 AM    Allowed    3    Incoming    IP    192.168.0.146    00-25-00-3A-C8-2E    NA    224.0.0.251    01-00-5E-00-00-FB    NA        Admin    Argh0812    Default    1    12/30/2012 8:29:29 AM    12/30/2012 8:29:29 AM    Allow IGMP traffic    
12/30/2012 8:30:30 AM    Blocked    3    Outgoing    UDP    239.255.255.250    01-00-5E-7F-FF-FA    1900    192.168.0.143    00-10-18-EA-74-75    1900    C:\Windows\System32\svchost.exe    LOCAL SERVICE    NT AUTHORITY    Default    18    12/30/2012 8:29:29 AM    12/30/2012 8:29:34 AM    Block UPnP Discovery    
12/30/2012 8:30:30 AM    Allowed    3    Outgoing    IP    224.0.0.22    01-00-5E-00-00-16    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    12    12/30/2012 8:29:29 AM    12/30/2012 8:29:29 AM    Allow IGMP traffic    
 

Please help me find a resolution ASAP!  Thank you so much for your time.  I am brand new to Nortion, so please go into descriptions if you find a solution.  Thank you!

Comments 10 CommentsJump to latest comment

pete_4u2002's picture

there should be rule for the "Block UPnP Discovery" , you need to change it. do you have any issue with teh operations, if not then let the rule be as it is.

.Brian's picture

Is this an unmanaged client? It sounds like it is.

12/30/2012 8:37:56 AM    Blocked    3    Outgoing    UDP    239.255.255.250    01-00-5E-7F-FF-FA    1900    192.168.0.143    00-10-18-EA-74-75    1900    C:\Windows\System32\svchost.exe    LOCAL SERVICE    NT AUTHORITY    Default    18    12/30/2012 8:36:54 AM    12/30/2012 8:37:00 AM    Block UPnP Discovery

It's legitimate traffic that is being blocked by the Block UPnP Discovery rule

Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functionalnetwork services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise class devices.

You can allow it by opening the SEP GUI and under Network Threat Protection click Options >> Configure Firewall Rules

Select the Block UPnP Discovery and hit Edit

Under Action, select Allow this traffic and click OK

You should not see the message for this rule any more.

You can disable the notifications completely by going to NTP >> Options >> Configure Settings and on the Notification tab, select the option to not show messages. However, this will disable the message for all rules and is not really recommended. But if you do, you would need to keep a closer eye on your logs.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
spindoctor84's picture

Brian:  What do you mean by unmanaged client?  I am on a home LAN. 

I cannot find that option to Configure Firewall Rules. 

.Brian's picture

It means the SEP client is not managed by a SEPM. If you're on a home LAN it is likely unmanaged.

When you open the SEP GUI, click on options next to Network Threat Protection. You should see "Configure Firewall Rules" as one of the options.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

spindoctor84's picture

Oops, I was looking in the wrong section.  Idiot me.  I will let you know if it keeps on popping up.  I will just have to wait to see.  Thanks. 

spindoctor84's picture

12/30/2012 8:28:49 PM    Allowed    3    Incoming    IP    192.168.0.108    00-24-2B-79-19-06    NA    224.0.0.251    01-00-5E-00-00-FB    NA        Admin    Argh0812    Default    1    12/30/2012 8:28:12 PM    12/30/2012 8:28:12 PM    Allow IGMP traffic    
12/30/2012 8:28:49 PM    Allowed    3    Incoming    IP    192.168.0.102    A4-EE-57-4E-D4-A6    NA    224.0.0.252    01-00-5E-00-00-FC    NA        Admin    Argh0812    Default    1    12/30/2012 8:28:12 PM    12/30/2012 8:28:12 PM    Allow IGMP traffic    
12/30/2012 8:28:49 PM    Allowed    3    Incoming    IP    192.168.0.108    00-24-2B-79-19-06    NA    239.255.255.250    01-00-5E-7F-FF-FA    NA        Admin    Argh0812    Default    1    12/30/2012 8:28:12 PM    12/30/2012 8:28:12 PM    Allow IGMP traffic    
12/30/2012 8:28:49 PM    Allowed    3    Incoming    IP    192.168.0.1    00-1B-11-56-C2-35    NA    224.0.0.1    01-00-5E-00-00-01    NA        Admin    Argh0812    Default    1    12/30/2012 8:28:12 PM    12/30/2012 8:28:12 PM    Allow IGMP traffic    
12/30/2012 8:28:37 PM    Blocked    3    Outgoing    UDP    FF02:0:0:0:0:0:1:2    33-33-00-01-00-02    547    FE80:0:0:0:1454:AB16:74EC:CAD2    00-10-18-EA-74-75    546        Admin    Argh0812    Default    1    12/30/2012 8:27:36 PM    12/30/2012 8:27:36 PM    Block IPv6 (Ethernet type 0x86dd)    
12/30/2012 8:28:32 PM    Blocked    3    Outgoing    UDP    FF02:0:0:0:0:0:0:C    33-33-00-00-00-0C    1900    FE80:0:0:0:1454:AB16:74EC:CAD2    00-10-18-EA-74-75    1900        Admin    Argh0812    Default    18    12/30/2012 8:27:31 PM    12/30/2012 8:27:41 PM    Block IPv6 (Ethernet type 0x86dd)    
12/30/2012 8:28:32 PM    Allowed    3    Outgoing    UDP    239.255.255.250    01-00-5E-7F-FF-FA    1900    192.168.0.143    00-10-18-EA-74-75    1900    C:\Windows\System32\svchost.exe    LOCAL SERVICE    NT AUTHORITY    Default    18    12/30/2012 8:27:31 PM    12/30/2012 8:27:41 PM    Block UPnP Discovery    
12/30/2012 8:27:51 PM    Allowed    3    Incoming    TCP    192.168.0.1    00-1B-11-56-C2-35    29069    192.168.0.143    00-10-18-EA-74-75    2869    C:\Windows\system32\NTOSKRNL.EXE    Admin    Argh0812    Default    1    12/30/2012 8:26:50 PM    12/30/2012 8:26:50 PM    Allow SSDP from private IP addresses    
12/30/2012 8:27:51 PM    Allowed    3    Incoming    TCP    192.168.0.1    00-1B-11-56-C2-35    29068    192.168.0.143    00-10-18-EA-74-75    2869    C:\Windows\system32\NTOSKRNL.EXE    Admin    Argh0812    Default    1    12/30/2012 8:26:50 PM    12/30/2012 8:26:50 PM    Allow SSDP from private IP addresses    
12/30/2012 8:27:51 PM    Allowed    3    Incoming    TCP    192.168.0.1    00-1B-11-56-C2-35    29067    192.168.0.143    00-10-18-EA-74-75    2869    C:\Windows\system32\NTOSKRNL.EXE    Admin    Argh0812    Default    1    12/30/2012 8:26:50 PM    12/30/2012 8:26:50 PM    Allow SSDP from private IP addresses    
12/30/2012 8:27:36 PM    Blocked    3    Outgoing    UDP    FF02:0:0:0:0:0:1:2    33-33-00-01-00-02    547    FE80:0:0:0:1454:AB16:74EC:CAD2    00-10-18-EA-74-75    546        Admin    Argh0812    Default    6    12/30/2012 8:26:35 PM    12/30/2012 8:27:05 PM    Block IPv6 (Ethernet type 0x86dd)    
12/30/2012 8:27:11 PM    Allowed    3    Outgoing    IP    224.0.0.251    01-00-5E-00-00-FB    NA    192.168.0.143    00-10-18-EA-74-75    NA        Admin    Argh0812    Default    1    12/30/2012 8:26:09 PM    12/30/2012 8:26:09 PM    Allow IGMP traffic   

.Brian's picture

12/30/2012 8:28:37 PM    Blocked    3    Outgoing    UDP    FF02:0:0:0:0:0:1:2    33-33-00-01-00-02    547    FE80:0:0:0:1454:AB16:74EC:CAD2    00-10-18-EA-74-75    546        Admin    Argh0812    Default    1    12/30/2012 8:27:36 PM    12/30/2012 8:27:36 PM    Block IPv6 (Ethernet type 0x86dd)    
 

The "Block IPv6" rule is being triggered. You can either chose to allow it (no notification) or keep blocking it (continued notification) but it's your choice.

Or you can choose to disable alerts altogether.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

spindoctor84's picture

Ok, thank you Brian and Ashish.  Everything seems to be working smoothly (no notifications even thought I didn't disable them).  I am not getting any pop-ups anymore by disabling the block ipv6 rule and the blocking PnP.  Thanks again.