Video Screencast Help

Symantec Critical System Protection Exclusions for SQL

Created: 04 May 2014 | 4 comments

Hi,

I need to know the Symantec Critical System Protection Exclusions for SQL, i have recieved one event which i am not sure what shoud be the action

 

10.20.100.65          ----- jeddc08 (dc)

10.20.105.117        ----- jeddbs04 (sql Server)

 

SCSP |  Network Access | JEDDBS04

Network Access

04-May-2014 04:20:40

04-May-2014 07:20:40

Prevention

Warning

Denied

45

0

1

 

JEDDBS04

JEDDBS04

10.20.105.117

DOMAIN NAME

CSP Native Agent

Windows

Server 2008 R2 Service Pack 1

5.2.9.841

DOMAIN NAME\sqlserv

DOMAIN NAME_Prevention_Global_Policy

 

i

 

C:\Program Files\Microsoft SQL Server\MSSQL10_50.CTS\MSSQL\Binn\sqlservr.exe

sqlservr.exe

TCP

 

 

Connect

Outbound Connection Denied to 10.20.100.65:49156  from local address 10.20.105.117:53636

04-May-2014 04:20:41

     00:00:01

mssqlsrv_ps

\WINDOWS\SYSTEM32\RPCRT4.DLL

10.20.100.65

49156

10.20.105.117

53636

TCP

14520

 

Operating Systems:

Comments 4 CommentsJump to latest comment

pete_4u2002's picture

the outbound network access rule is blocking it, you should check the rule and configure appropriately for traffic to pass.

 

To check the network rules
1 In the management console, edit the policy.
2 In the policy editor dialog box, click Global Policy Options > Network Controls.

For Outbound Network Rules, select Outbound > Components > Outbound
network rules.

TheSniper_'s picture

But how can i exclude the below the process:

C:\Program Files\Microsoft SQL Server\MSSQL10_50.CTS\MSSQL\Binn\sqlservr.exe

 

AMoss's picture

That event is a bit of a concern....it's an outbound on an ephemeral port...from SQL.  Overall concern is diminished as the machine it's communicating to is on the same subnet.  I would try and determine what the other server is and see if there's any other communication with that device.

 

Also...I would recommend tuning the mssql_ps vs. tuning at the global level...

Looking for real-time reporting and data visualization for your Symantec Security solutions?  http://www.trysolve.com

Alex_CST's picture

Without knowledge of what the SQL server is for, and what the other IP is, we cannot really give advice.  You should find out what the other IP is, and determine what traffic goes over those ports.

Please mark posts as solutions if they solve your problem!

http://www.cstl.com