Traffic blocked from other machines on network
I received a pop-up message yesterday that SEP is blocking traffic from my kernel. I looked at my logs, and the Network Threat Protection log shows SEP is blocking traffic from a number of machines on our network.
Remote ports range from 1053 to 64053. All traffic is being directed to either my port 139 or port 445. All packets are being blocked by the Block Local File Sharing rule. None of the remote users has occasion to be making SMB or NetBIOS connections to my machine. FWIW, all but one of the 10 remote machines from which traffic is being blocked is a Mac.
Is this a situation that warrants further investigation? I'm attaching my NTP log.
This is an Intrusion
This is an Intrusion Detection System alert generated by the Proactive Threat Protection system. This alert most likely indicates that a threat is trying to exploit Windows vulnerabilities in the Server service's handling of MSRPC requests, as described in Microsoft Security Bulletin MS08-067. The most well known threat which targeted this vulnerability is the W32.Downadup (aka Conficker) family of worms.
Check for any detections of W32.Downadup or other threats within your environment, and take steps to isolate and then clean the affected systems.
OR, you can just exclude that
1.Login into your Symantec Endpoint Protection Manager.
2.Click on Policies - Intrusion Prevention - edit your Intrusion Prevention policy
3.Click on Settings
4.Tick the "Enable excluded hosts" option and click on the Excluded Hosts button to add your ip address (or a range of ip address, alternatively you could also use the subnet option).