Video Screencast Help

"traffic has been blocked from this application: svchost.exe"

Created: 25 Apr 2010 • Updated: 06 Nov 2010 | 6 comments

Why do I keep getting a pop up message from task tray icon "traffic has been blocked from this application: svchost.exe"?

Comments 6 CommentsJump to latest comment

.Brian's picture

Is there a SID referenced?

For example: [SID: 20386] MS RPCSS Attack (2) detected. Traffic has been blocked from this application: C:\WINDOWS\system32\svchost.exe

You can then use it to lookup what signature is being tripped. To do this login to SEPM and go to Policies ---> under View Policies, select your Intrusion Prevention policy and double-click it. Select Exceptions ---> Click Add and from here you will see all the current signatures. You should be able to locate the correct SID and find out more about what is going on.

You can check the logs. Go to Monitors ---> Logs ---> Network Threat Protection for the log type and Attacks for the log content. You can search by the computer name / IP by going into the Advanced Settings to get more granular.

You can also turn these notifications off so users don't see them. Go to Clients ---> Policies tab ---> click the "+" next to Location-specific Settings to expand and select Tasks ---> Edit Settings ---> select Customize for whatever control you have it set to and uncheck Display Intrusion Prevention notifications

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

gegjr's picture

I do not find anything [SID]. I did look under logs (there is no such "monitors"} so I went to View Log, Network Threat Protection, View Logs and on the drop down selected "Traffic Log" (there was nothing under "Packet Log"). What I see is a whole list of this over and over. I have no idea what it means except that something to do with C:\Windows\system32\svchost.ext and some GUICONFIG@ADVRULECONFIG. Is this some virus? When I check for status and threats everything says it is copacetic. What gives. Is this guiconfig@advrulconfig a virus of some sort?

2949 4/23/2010 1:40:16 PM Blocked 3 Unknown UDP 65.55.158.119 00-22-A4-7D-CD-C1 3544 192.168.1.75 00-14-22-E0-CF-6A 1622 C:\WINDOWS\system32\svchost.exe ggivensjr DELL3 Default 4 4/23/2010 1:39:11 PM 4/23/2010 1:39:22 PM GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_103
2950 4/23/2010 1:54:01 PM Blocked 3 Unknown UDP teredo.ipv6.microsoft.com [65.55.158.118] 00-22-A4-7D-CD-C1 3544 192.168.1.75 00-14-22-E0-CF-6A 1627 C:\WINDOWS\system32\svchost.exe ggivensjr DELL3 Default 4 4/23/2010 1:52:56 PM 4/23/2010 1:53:07 PM GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_103
2951 4/23/2010 1:54:17 PM Blocked 3 Unknown UDP 65.55.158.119 00-22-A4-7D-CD-C1 3544 192.168.1.75 00-14-22-E0-CF-6A 1627 C:\WINDOWS\system32\svchost.exe ggivensjr DELL3 Default 4 4/23/2010 1:53:12 PM 4/23/2010 1:53:23 PM GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_103
2952 4/23/2010 2:06:47 PM Blocked 3 Unknown UDP teredo.ipv6.microsoft.com [65.55.158.116] 00-22-A4-7D-CD-C1 3544 192.168.1.75 00-14-22-E0-CF-6A 1635 C:\WINDOWS\system32\svchost.exe ggivensjr DELL3 Default 4 4/23/2010 2:05:42 PM 4/23/2010 2:05:53 PM GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_103
2953 4/23/2010 2:07:03 PM Blocked 3 Unknown UDP 65.55.158.117 00-22-A4-7D-CD-C1 3544 192.168.1.75 00-14-22-E0-CF-6A 1635 C:\WINDOWS\system32\svchost.exe ggivensjr DELL3 Default 4 4/23/2010 2:05:58 PM 4/23/2010 2:06:04 PM GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_103
2954 4/23/2010 2:20:06 PM Blocked 3 Unknown UDP teredo.ipv6.microsoft.com [65.55.158.118] 00-22-A4-7D-CD-C1 3544 192.168.1.75 00-14-22-E0-CF-6A 1641 C:\WINDOWS\system32\svchost.exe ggivensjr DELL3 Default 4 4/23/2010 2:19:01 PM 4/23/2010 2:19:12 PM GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_103
2955 4/23/2010 2:20:23 PM Blocked 3 Unknown UDP 65.55.158.119 00-22-A4-7D-CD-C1 3544 192.168.1.75 00-14-22-E0-CF-6A 1641 C:\WINDOWS\system32\svchost.exe ggivensjr DELL3 Default 4 4/23/2010 2:19:18 PM 4/23/2010 2:19:23 PM GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_103
2956 4/23/2010 2:28:11 PM Blocked 3 Unknown UDP teredo.ipv6.microsoft.com [65.55.158.116] 00-22-A4-7D-CD-C1 3544 192.168.1.75 00-14-22-E0-CF-6A 1645 C:\WINDOWS\system32\svchost.exe ggivensjr DELL3 Default 4 4/23/2010 2:27:07 PM 4/23/2010 2:27:17 PM GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_103
2957 4/23/2010 2:28:28 PM Blocked 3 Unknown UDP 65.55.158.117 00-22-A4-7D-CD-C1 3544 192.168.1.75 00-14-22-E0-CF-6A 1645 C:\WINDOWS\system32\svchost.exe ggivensjr DELL3 Default 4 4/23/2010 2:27:23 PM 4/23/2010 2:27:34 PM GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_103
2958 4/23/2010 2:39:06 PM Blocked 3 Unknown UDP teredo.ipv6.microsoft.com [65.55.158.116] 00-22-A4-7D-CD-C1 3544 192.168.1.75 00-14-22-E0-CF-6A 1661 C:\WINDOWS\system32\svchost.exe ggivensjr DELL3 Default 4 4/23/2010 2:38:01 PM 4/23/2010 2:38:12 PM GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_103
2959 4/23/2010 2:39:22 PM Blocked 3 Unknown UDP 65.55.158.117 00-22-A4-7D-CD-C1 3544 192.168.1.75 00-14-22-E0-CF-6A 1661 C:\WINDOWS\system32\svchost.exe ggivensjr DELL3 Default 4 4/23/2010 2:38:17 PM 4/23/2010 2:38:28 PM GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_103
2960 4/23/2010 2:53:17 PM Blocked 3 Unknown UDP teredo.ipv6.microsoft.com [65.55.158.116] 00-22-A4-7D-CD-C1 3544 192.168.1.75 00-14-22-E0-CF-6A 1680 C:\WINDOWS\system32\svchost.exe ggivensjr DELL3 Default 4 4/23/2010 2:52:13 PM 4/23/2010 2:52:23 PM GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_103

AttachmentSize
traffic log.doc 561.5 KB
blenahan's picture

I have found it most likely means you have malware running around on your machine.  Alot of the them use the Windows svchost.exe to perform some of their tasks.  It means SEP is working to block it, but you may need to run some other tools to completely remove it from your system.  Try Malwarebytes Anti-malware.  Not that I am trying to pimp another product, but it's sometimes necesary to run a couple different product scans to completely rid yourself of some of these nasties.

 

_________________________________________________________________

Please remember to mark the thread 'SOLVED' with the answer that most helped you by choosing 'Mark As Solution' on the applicable answer

gegjr's picture

Please see the following thread

posted September 6th, 2009

Symantec Endpoint Protection 11.0.4202.75 blocked traffic for ntoskrnl.exe....HELP

AravindKM's picture

in log file there is some IPs are repeating many times.Remove those PCs from network and do a scan in safe mode.

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

.Brian's picture

Have you scanned your PC with another program such as Malwarebytes or Hitman pro?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.