Video Screencast Help

Traffic blocked from other machines on network

Created: 04 Dec 2012 • Updated: 05 Dec 2012 | 7 comments
This issue has been solved. See solution.

I received a pop-up message yesterday that SEP is blocking traffic from my kernel. I looked at my logs, and the Network Threat Protection log shows SEP is blocking traffic from a number of machines on our network.

Remote ports range from 1053 to 64053. All traffic is being directed to either my port 139 or port 445. All packets are being blocked by the Block Local File Sharing rule. None of the remote users has occasion to be making SMB or NetBIOS connections to my machine. FWIW, all but one of the 10 remote machines from which traffic is being blocked is a Mac.

Is this a situation that warrants further investigation? I'm attaching my NTP log.

Comments 7 CommentsJump to latest comment

ᗺrian's picture

Do you have any shares setup on your machine?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

G_J_P's picture

One USB drive on my machine was shared. Don't remember when I set that up. I've turned off sharing on that drive.

ᗺrian's picture

For whatever reason these 10 machines tried to access a share or what they thought were a share...did they map a drive to your USB drive and forget to disconnect it?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

G_J_P's picture

That was my first thought. Most of these, though, are people who I am virtually certain have never mapped to a drive on my machine. We have an unwritten but pretty well followed protocol here not to map to an individual user's machine without first talking to the person. My user group is functionally separate from the group from which the majority of the traffic has come. We occasionally exchage data files with this group, but they have no need to map to my machine.

G_J_P's picture

That was my first thought, but these are people who to my knowledge have never mapped to my machine. It would be extremely unusual for anyone to map to my machine without first talking to me about it.

Ajit Jha's picture

This is an Intrusion Detection System alert generated by the Proactive Threat Protection system. This alert most likely indicates that a threat is trying to exploit Windows vulnerabilities in the Server service's handling of MSRPC requests, as described in Microsoft Security Bulletin MS08-067. The most well known threat which targeted this vulnerability is the W32.Downadup (aka Conficker) family of worms.

Check for any detections of W32.Downadup or other threats within your environment, and take steps to isolate and then clean the affected systems.

OR, you can just exclude that

1.Login into your Symantec Endpoint Protection Manager.
2.Click on Policies - Intrusion Prevention - edit your Intrusion Prevention policy
3.Click on Settings
4.Tick the "Enable excluded hosts" option and click on the Excluded Hosts button to add your ip address (or a range of ip address, alternatively you could also use the subnet option).


Ajit Jha

Technical Consultant


W007's picture


Check Comments

Vikram Kumar-SAV to SEP Symantec Employee Accredited

 Ntoskrnl.exe--is the file used for file and print sharing..

So all the computers in the network poll on the UDP port 137 ,138 to find computers near them.
So even if you are not using the remote computer for file sharing you might get this pop-up.
Since on Unmanaged computer the option for Browse File and Print sharing on the Network in unchecked ( turned off )
So you might be getting this pop-up.
So what you can do is 
Open SEP Interface-Under Network Threat Protection -Options-Change Settings-Microsoft Windows Networking-All network Adapters--Check both the boxes below then one by select all the adapters and make sure both the boxes are checked for all you Network adapters in the drop-down..


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.