Hi all,

We have problem on Aten KVM switch (KN2140v Version 1.6.152), our Symantec Endpoint Protection client detected ARP MAC spoofing attack from this KVM. In this case, sometime will blocked some traffic that caused our IT staffs cannot login by Win client.

Please take a look on attached screenshot, this is Symantec Endpoint Protection client offen pop-up this attack message, the 172.17.128.250 is KVM IP address.

We think that KVM can't infected virus, right? also can you give us some solution to prevent this problem?

Thanks

Check this articles

How to use Symantec Endpoint Protection Manager to add an exception for Intrusion Prevention Policy

Hello James007,

After read your article, I don't know which Intrusion Prevention ID I need to add into exceptions list, can you help ?

Thanks

What SEP version are you running?

This is from the anti-mac spoofing feature.

What this feature does is:

Allows inbound and outbound ARP (Address Resolution Protocol) traffic only if an ARP request was made to that specific host. It blocks all other unexpected ARP traffic and logs it in the Security Log.

Media access control (MAC) addresses are hardware addresses that identify the computers, the servers, and the routers. Some hackers use MAC spoofing to try to hijack a communication session between two computers. When computer A wants to communicate with computer B, computer A may send an ARP packet to computer B.

Anti-MAC spoofing protects a computer from letting another computer reset a MAC address table. If a computer sends an ARP REQUEST message, the client allows the corresponding ARP RESPOND message within a period of 10 seconds. All client rejects all unsolicited ARP RESPOND messages.
 

This is in the firewall policy and you can disable if you know it is a false positive

http://www.symantec.com/docs/HOWTO81160

HI,

Check this

Anti-MAC spoofing enabled on RU5 blocks access to router (x.x.x.1 IP address) with "Error: Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer."

Hello all,

I hae Remove the check mark from "Enable Anti-MAC spoofing", but this issue still here, please help.

 

Hi,

Is't Windows 7 or Vista ?

Try to disable Ip v6 .

Hi James007,

Our office most is using Windows 7, what do you mean disable ip v6 ? 

THanks 

Check Brian and Ajit comments in this thread

https://www-secure.symantec.com/connect/forums/constant-notification-traffic-has-been-blocked-application-svchostexe

 Turn off the iphelper service, set to manual.  This stops the warning dialog from popping up.  

2. Open the Network and Sharing Center, click "Change adapter settings", select the adapter being used, right-click and select "Properties".
Uncheck the box next to "Internet Protocol Version 6 (TCP/IPv6)". 
IPv6 is on by default in Vista/Win7.

3. Restart machine.

Hi James,

Why uncheck the "Internet Protocol Version 6 (TCP/IPv6)" will unblock the KVM ip address ? I don't understand, thanks.
 

Hi all,

After disabled "Enable Anti-MAC spoofing", I don't see the message pop-up in this few days and we can remote to the KVM.

We have a question, any option can exclude the KVM ip address in "Enable Anti-MAC spoofing" ?

Thanks

Can't exclude. It's either all or nothing.

Do you need more help here?

Hi James

No, thanks.

Please Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.

This is not a good solution. Please mark the one that actually helped.

Thanks