Traffic blocked from other machines on network
Created: 04 Dec 2012 | Updated: 05 Dec 2012 | 7 comments
This issue has been solved. See solution.
I received a pop-up message yesterday that SEP is blocking traffic from my kernel. I looked at my logs, and the Network Threat Protection log shows SEP is blocking traffic from a number of machines on our network.
Remote ports range from 1053 to 64053. All traffic is being directed to either my port 139 or port 445. All packets are being blocked by the Block Local File Sharing rule. None of the remote users has occasion to be making SMB or NetBIOS connections to my machine. FWIW, all but one of the 10 remote machines from which traffic is being blocked is a Mac.
Is this a situation that warrants further investigation? I'm attaching my NTP log.
Discussion Filed Under:
Comments 7 Comments • Jump to latest comment
Do you have any shares setup on your machine?
SEP Knowledge Base
Endpoint SWAT
One USB drive on my machine was shared. Don't remember when I set that up. I've turned off sharing on that drive.
For whatever reason these 10 machines tried to access a share or what they thought were a share...did they map a drive to your USB drive and forget to disconnect it?
SEP Knowledge Base
Endpoint SWAT
That was my first thought. Most of these, though, are people who I am virtually certain have never mapped to a drive on my machine. We have an unwritten but pretty well followed protocol here not to map to an individual user's machine without first talking to the person. My user group is functionally separate from the group from which the majority of the traffic has come. We occasionally exchage data files with this group, but they have no need to map to my machine.
That was my first thought, but these are people who to my knowledge have never mapped to my machine. It would be extremely unusual for anyone to map to my machine without first talking to me about it.
This is an Intrusion Detection System alert generated by the Proactive Threat Protection system. This alert most likely indicates that a threat is trying to exploit Windows vulnerabilities in the Server service's handling of MSRPC requests, as described in Microsoft Security Bulletin MS08-067. The most well known threat which targeted this vulnerability is the W32.Downadup (aka Conficker) family of worms.
Check for any detections of W32.Downadup or other threats within your environment, and take steps to isolate and then clean the affected systems.
OR, you can just exclude that
1.Login into your Symantec Endpoint Protection Manager.
2.Click on Policies - Intrusion Prevention - edit your Intrusion Prevention policy
3.Click on Settings
4.Tick the "Enable excluded hosts" option and click on the Excluded Hosts button to add your ip address (or a range of ip address, alternatively you could also use the subnet option).
Regard's
Ajit Jha
Technical Consultant
ASC & STS
HI,
Check Comments
Vikram Kumar-SAV to SEP Symantec Employee Accredited
Ntoskrnl.exe--is the file used for file and print sharing..
So all the computers in the network poll on the UDP port 137 ,138 to find computers near them.
So even if you are not using the remote computer for file sharing you might get this pop-up.
Since on Unmanaged computer the option for Browse File and Print sharing on the Network in unchecked ( turned off )
So you might be getting this pop-up.
So what you can do is
Open SEP Interface-Under Network Threat Protection -Options-Change Settings-Microsoft Windows Networking-All network Adapters--Check both the boxes below then one by select all the adapters and make sure both the boxes are checked for all you Network adapters in the drop-down..
Reference
https://www-secure.symantec.com/connect/forums/symantec-endpoint-protection-110420275-blocked-traffic-ntoskrnlexehelp
https://www-secure.symantec.com/connect/forums/traffic-blocked-ntoskrnlexe-0
Thanks In Advance.
Manish
Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.
Would you like to reply?
Login or Register to post your comment.