Video Screencast Help

Symantec Endpoint Protection client detected Aten KVM switch ARP MAC attack

Created: 29 Oct 2013 • Updated: 09 Nov 2013 | 15 comments
This issue has been solved. See solution.

 Hi all,

We have problem on Aten KVM switch (KN2140v Version 1.6.152), our Symantec Endpoint Protection client detected ARP MAC spoofing attack from this KVM. In this case, sometime will blocked some traffic that caused our IT staffs cannot login by Win client.

Please take a look on attached screenshot, this is Symantec Endpoint Protection client offen pop-up this attack message, the 172.17.128.250 is KVM IP address.

We think that KVM can't infected virus, right? also can you give us some solution to prevent this problem?

Thanks

Operating Systems:

Comments 15 CommentsJump to latest comment

James007's picture

Check this articles

How to use Symantec Endpoint Protection Manager to add an exception for Intrusion Prevention Policy  
Article:TECH97176 | Created: 2009-01-02 | Updated: 2013-09-03 | Article URL http://www.symantec.com/docs/TECH97176
leiw's picture

Hello James007,

After read your article, I don't know which Intrusion Prevention ID I need to add into exceptions list, can you help ?

Thanks

Brɨan's picture

What SEP version are you running?

This is from the anti-mac spoofing feature.

What this feature does is:

Allows inbound and outbound ARP (Address Resolution Protocol) traffic only if an ARP request was made to that specific host. It blocks all other unexpected ARP traffic and logs it in the Security Log.

Media access control (MAC) addresses are hardware addresses that identify the computers, the servers, and the routers. Some hackers use MAC spoofing to try to hijack a communication session between two computers. When computer A wants to communicate with computer B, computer A may send an ARP packet to computer B.

Anti-MAC spoofing protects a computer from letting another computer reset a MAC address table. If a computer sends an ARP REQUEST message, the client allows the corresponding ARP RESPOND message within a period of 10 seconds. All client rejects all unsolicited ARP RESPOND messages.
 

This is in the firewall policy and you can disable if you know it is a false positive

http://www.symantec.com/docs/HOWTO81160

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

James007's picture

HI,

Check this

Anti-MAC spoofing enabled on RU5 blocks access to router (x.x.x.1 IP address) with "Error: Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer."
Article:TECH96608 | Created: 2009-01-07 | Updated: 2011-06-08 | Article URL http://www.symantec.com/docs/TECH96608
leiw's picture

Hello all,

I hae Remove the check mark from "Enable Anti-MAC spoofing", but this issue still here, please help.

leiw's picture

Hi James007,

Our office most is using Windows 7, what do you mean disable ip v6 ? 

THanks 

James007's picture

Check Brian and Ajit comments in this thread

https://www-secure.symantec.com/connect/forums/constant-notification-traffic-has-been-blocked-application-svchostexe

 Turn off the iphelper service, set to manual.  This stops the warning dialog from popping up.  

2. Open the Network and Sharing Center, click "Change adapter settings", select the adapter being used, right-click and select "Properties".
Uncheck the box next to "Internet Protocol Version 6 (TCP/IPv6)". 
IPv6 is on by default in Vista/Win7.

3. Restart machine.

leiw's picture

Hi James,

Why uncheck the "Internet Protocol Version 6 (TCP/IPv6)" will unblock the KVM ip address ? I don't understand, thanks.
 

leiw's picture

Hi all,

After disabled "Enable Anti-MAC spoofing", I don't see the message pop-up in this few days and we can remote to the KVM.

We have a question, any option can exclude the KVM ip address in "Enable Anti-MAC spoofing" ?

Thanks

Brɨan's picture

Can't exclude. It's either all or nothing.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

James007's picture

Please Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.

SOLUTION
Brɨan's picture

This is not a good solution. Please mark the one that actually helped.

Thanks

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.