Traffic has been blocked from this application: (svchost.exe)
Hi, I'm getting notifications every few minutes that traffic has been blocked for svchost.exe
I'm running symantec endpoint protection version 11.0.6100.645 on windows 7 home premium 64 bit, unmanaged.
I have searched the forums and found others with very similar issues, although I have been unable to find a resolution.
I will try to provide any information that is needed. I would like to solve this problem and help anyone else having the same problem.
I saw in another thread that someone thought a homegroup could be the culprit, but there is no homegroup setup on my pc. I verified this right before typing by checking the network and sharing center.
From my network threat protection traffic log (this pattern happens every couple minutes):
1/1/2011 11:39:11 PM Blocked 3 Outgoing IPv6 [type=0x86DD] 0.0.0.0 33-33-00-01-00-02 0 0.0.0.0 00-22-B0-6E-B1-F0 0 Steven SoederFTW Default 1 1/1/2011 11:38:09 PM 1/1/2011 11:38:09 PM Block IPv6 (Ethernet type 0x86dd)
1/1/2011 11:38:40 PM Blocked 3 Outgoing IPv6 [type=0x86DD] 0.0.0.0 33-33-00-01-00-02 0 0.0.0.0 00-22-B0-6E-B1-F0 0 Steven SoederFTW Default 1 1/1/2011 11:37:39 PM 1/1/2011 11:37:39 PM Block IPv6 (Ethernet type 0x86dd)
1/1/2011 11:38:25 PM Blocked 3 Outgoing IPv6 [type=0x86DD] 0.0.0.0 33-33-00-01-00-02 0 0.0.0.0 00-22-B0-6E-B1-F0 0 Steven SoederFTW Default 1 1/1/2011 11:37:23 PM 1/1/2011 11:37:23 PM Block IPv6 (Ethernet type 0x86dd)
1/1/2011 11:38:14 PM Blocked 3 Outgoing IPv6 [type=0x86DD] 0.0.0.0 33-33-00-01-00-02 0 0.0.0.0 00-22-B0-6E-B1-F0 0 Steven SoederFTW Default 1 1/1/2011 11:37:13 PM 1/1/2011 11:37:13 PM Block IPv6 (Ethernet type 0x86dd)
1/1/2011 11:38:09 PM Blocked 3 Outgoing IPv6 [type=0x86DD] 0.0.0.0 33-33-00-01-00-02 0 0.0.0.0 00-22-B0-6E-B1-F0 0 Steven SoederFTW Default 1 1/1/2011 11:37:08 PM 1/1/2011 11:37:08 PM Block IPv6 (Ethernet type 0x86dd)
1/1/2011 11:38:09 PM Blocked 3 Outgoing IPv6 [type=0x86DD] 0.0.0.0 33-33-00-01-00-02 0 0.0.0.0 00-22-B0-6E-B1-F0 0 Steven SoederFTW Default 1 1/1/2011 11:37:08 PM 1/1/2011 11:37:08 PM Block IPv6 (Ethernet type 0x86dd)
1/1/2011 11:38:09 PM Blocked 3 Outgoing IPv6 [type=0x86DD] 0.0.0.0 33-33-00-01-00-02 0 0.0.0.0 00-22-B0-6E-B1-F0 0 Steven SoederFTW Default 1 1/1/2011 11:37:08 PM 1/1/2011 11:37:08 PM Block IPv6 (Ethernet type 0x86dd)
1/1/2011 11:36:38 PM Allowed 10 Incoming UDP 192.168.1.2 00-1F-3B-32-11-C5 137 192.168.1.255 FF-FF-FF-FF-FF-FF 137 C:\Windows\system32\ntoskrnl.exe Steven SoederFTW Default 9 1/1/2011 11:35:36 PM 1/1/2011 11:36:22 PM Allows NetBIOS UDP protocols in LAN subnet
1/1/2011 11:35:41 PM Blocked 3 Outgoing IPv6 [type=0x86DD] 0.0.0.0 33-33-00-00-00-0C 0 0.0.0.0 00-22-B0-6E-B1-F0 0 Steven SoederFTW Default 1 1/1/2011 11:34:40 PM 1/1/2011 11:34:40 PM Block IPv6 (Ethernet type 0x86dd)
1/1/2011 11:35:41 PM Blocked 3 Outgoing IPv6 [type=0x86DD] 0.0.0.0 33-33-00-00-00-0C 0 0.0.0.0 00-22-B0-6E-B1-F0 0 Steven SoederFTW Default 1 1/1/2011 11:34:40 PM 1/1/2011 11:34:40 PM Block IPv6 (Ethernet type 0x86dd)
1/1/2011 11:35:41 PM Blocked 3 Outgoing IPv6 [type=0x86DD] 0.0.0.0 33-33-00-00-00-0C 0 0.0.0.0 00-22-B0-6E-B1-F0 0 Steven SoederFTW Default 1 1/1/2011 11:34:40 PM 1/1/2011 11:34:40 PM Block IPv6 (Ethernet type 0x86dd)
1/1/2011 11:35:41 PM Blocked 3 Outgoing IPv6 [type=0x86DD] 0.0.0.0 33-33-00-00-00-0C 0 0.0.0.0 00-22-B0-6E-B1-F0 0 Steven SoederFTW Default 1 1/1/2011 11:34:40 PM 1/1/2011 11:34:40 PM Block IPv6 (Ethernet type 0x86dd)
1/1/2011 11:35:36 PM Blocked 3 Outgoing IPv6 [type=0x86DD] 0.0.0.0 33-33-00-00-00-0C 0 0.0.0.0 00-22-B0-6E-B1-F0 0 Steven SoederFTW Default 1 1/1/2011 11:34:35 PM 1/1/2011 11:34:35 PM Block IPv6 (Ethernet type 0x86dd)
1/1/2011 11:35:36 PM Blocked 3 Outgoing IPv6 [type=0x86DD] 0.0.0.0 33-33-00-00-00-0C 0 0.0.0.0 00-22-B0-6E-B1-F0 0 Steven SoederFTW Default 1 1/1/2011 11:34:35 PM 1/1/2011 11:34:35 PM Block IPv6 (Ethernet type 0x86dd)
Also, in another forum post i was reading it was suggested to run a tasklist /svc to see what services are running....so I did that as well and here are the results:
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 292 N/A
csrss.exe 380 N/A
wininit.exe 448 N/A
csrss.exe 460 N/A
services.exe 508 N/A
winlogon.exe 532 N/A
lsass.exe 552 KeyIso, SamSs
lsm.exe 568 N/A
svchost.exe 680 DcomLaunch, PlugPlay, Power
svchost.exe 760 RpcEptMapper, RpcSs
svchost.exe 856 AudioSrv, Dhcp, eventlog,
HomeGroupProvider, lmhosts, wscsvc
svchost.exe 888 AudioEndpointBuilder, hidserv, Netman,
PcaSvc, SysMain, TrkWks, UxSms,
WdiSystemHost, Wlansvc
svchost.exe 916 AeLookupSvc, Appinfo, BITS, EapHost, gpsvc,
IKEEXT, iphlpsvc, LanmanServer, MMCSS,
ProfSvc, Schedule, SENS, ShellHWDetection,
Themes, Winmgmt, wuauserv
svchost.exe 308 EventSystem, fdPHost, netprofm, nsi,
WdiServiceHost
Smc.exe 440 SmcService
svchost.exe 1068 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
ccSvcHst.exe 1168 ccEvtMgr, ccSetMgr
spoolsv.exe 1488 Spooler
svchost.exe 1524 BFE, DPS, MpsSvc
Rtvscan.exe 1740 Symantec AntiVirus
svchost.exe 1860 PolicyAgent
taskhost.exe 2212 N/A
dwm.exe 2264 N/A
explorer.exe 2316 N/A
SmcGui.exe 2344 N/A
uTorrent.exe 2652 N/A
ProtectionUtilSurrogate.e 2780 N/A
ccApp.exe 2976 N/A
SearchIndexer.exe 1316 WSearch
wmpnetwk.exe 2560 WMPNetworkSvc
svchost.exe 2704 FDResPub, SSDPSRV
firefox.exe 908 N/A
plugin-container.exe 2180 N/A
sppsvc.exe 3188 sppsvc
msiexec.exe 2564 msiserver
Setup.exe 3864 N/A
Setup.exe 3664 N/A
msiexec.exe 3668 N/A
msiexec.exe 3724 N/A
SymCorpUI.exe 3336 N/A
audiodg.exe 3316 N/A
WmiPrvSE.exe 1088 N/A
cmd.exe 3916 N/A
conhost.exe 3976 N/A
tasklist.exe 3908 N/A
Comments 8 Comments • Jump to latest comment
IPv6 is being blocked, which is one of the default rules in the firewall.
You can turn off IPv6 on your machine if it is not being used (I doubt it is) or if it is, you can turn off logging on this rule.
SEP Knowledge Base
Endpoint SWAT
I see utorrent.exe running, you may have malware running on this system.
http://www.threatexpert.com/report.aspx?md5=7e2354...
Make sure you have the latest definitions and run a full scan in safe-mode.
If that fails to detect and remove the threats,
there are useful some tools that are provided by Symantec for help with finding those hard to detect threats.
1. The Power Eraser Tool eliminates deeply embedded and difficult to remove threats that traditional virus scanning doesn't always detect.
2. The SERT (Symantec Endpoint Recovery Tool)is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively.
3. The Load point Analysis Tool generates a detailed report of the programs loaded on your system. It is helpful in listing common loadpoints where threats can live.
Rapid Release Virus Definitions –
http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr
Power Eraser tool –
http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default
How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions –http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US
Support Tool with Power Eraser Tool included –
http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US
How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files http://www.symantec.com/business/support/index?page=content&id=TECH141402
If you are unable to remove the threat(s) from your systems, please submit the suspected files to Symantec or ThreatExpert for analysis. New signatures will be created and included in future definition sets for detection.
http://www.symantec.com/business/security_response/submitsamples.jsp
http://www.threatexpert.com/submit.aspx
Ooyala Community Manager - Take our Video Poll
Brian81: Good ideas. I will try disabling ipv6 on my pc and see if that solves the problem. Out of curiosity's sake and so that I can have a better understanding of the changes I'm making; is there a reason my computer would need ipv6 turned on? why is it trying to use ipv6 currently? and also, why is it blocked by default? If you cant answer those questions, maybe point me in the right direction ;)
Cycletech: I dont think its a malware issue. This is a fresh install on a new pc. I installed Windows 7, and then I installed enpoint. I then proceeded to install the rest of the software that needed to be installed, none of which is new to me. I downloaded the utorrent install file directly from the utorrent website, and installed it with endpoint running. Endpoint hasnt found any issues yet, including the manual scan I ran. I guess anything is possible, but it seems very very very unlikely that is the underlying problem.
Thank you both for your time and speedy responses!
IPv6 is on by default in Vista/Win7.
I highly doubt you need IPv6 just yet. You can certainly check with your ISP for verification and to see if they have started moving to IPv6 addressing.
You can also run an ipconfig on your machine. If you see an IP address under IPv4 then you are using IPv4 and can turn IPv6 off.
Since IPv6 is on, it will be checked to see if it can be used and if not, it will just use IPv4.
I don't why the default rule is to block IPv6. Probably, because it is not in widespread use yet and can cause some issues with machines/networks so Symantec took the liberty to block by default.
SEP Knowledge Base
Endpoint SWAT
Hello,
I'm agree with Cycletech. We saw so many attacks nowadays and when i see some attack about svchost.exe i suspected from Downadup.32 worm.
Please also check IPS logs from SEP Manager for that computer.
Monitor/Network Threat Protection/Attacks
then click advanced to filter that computers ip address. If you see some lines with High or Critical level click on them and then click on details top of the page. You can the reason of attack on top of the page.If you see a line like MS-RPC ....... C:\Windows\System32\svchost.exe than an attack from outside or that computer started.
Regards,
Oykun
Brian81: Thank you so much for your help, your suggestions worked and the problem is solved!
For anyone else having problems, the steps I followed were:
1. Turn off the iphelper service, set to manual. This stopped the warning dialog from popping up. But, I noticed there were still a lot of ipv6 requests being blocked in my logs (roughly half the amount there were before stopping iphelper service)
2. Open your network and sharing center, click "change adapter settings", select the adapter you are using (for me it was my wireless adapter), right-click and hit properties. Untick the box next to Internet Protocol Version 6 (TCP/IPv6).
3. Restart machine.
This process worked perfectly for me, and my logs are now clean and I get no annoying popups. Best of all, I can turn sounds back on with notification so I can actually be alerted if a real problem happens.
Don't forget to mark whatever post helped you as solved so others can benefit as well
SEP Knowledge Base
Endpoint SWAT
I had the same issue. New PC with a clean install of Windows 7 Home Premium 64. I installed SEP 11 RU6 64 bit and then every four minutes I would get a pop-up from Symantec saying "Traffic has been blocked from this application: svchost.exe", "Application blocked" I could turn the pop-up notification off but not the "bling" noise every four minutes. It was driving me nuts. I found several other forums with poeple asking about this issue but no one with a corrrect answer...until now. It is NOT a virus.
Follow Soederftw's instruction for disabling IPV6.
Thanks.
Would you like to reply?
Login or Register to post your comment.