Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Traffic from ip address xxx.xxx.xxx.xxx is blocked

Created: 11 Dec 2012 • Updated: 11 Dec 2012 | 8 comments

Dear Sir/Madam,

I have recently created two clean workstation images on our network and I am receiving 'traffic from ip address xxx.xxx.xxx.xxx is blocked...' messages.

The ip addresses are those within our network range.  They only appear on the two workstations that we have created and not on any of the many other established networked workstations.

I have read some of the boards here but cannot figure out how to resolve the issue.

I just want to make sure we haven't got a serious problem.  Our SEP software is up to date, as are the workstations,

What would I need to do to prevent the messages from appearing without stopping the SEP from doing its job?

Any help would be greatly appreciated.

Discussion Filed Under:

Comments 8 CommentsJump to latest comment

W007's picture

Hi,

Can you provide Snap shot off error ?

What sep version are you using ?

Intrusion Prevention Signature is automatically blocking an attacker’s IP address. It blocks network traffic from the attacker for a configurable duration (default 10 minutes)

To create an exception for Intrusion Prevention Policy to allow a specific ID:

1. Open Symantec Endpoint Protection Manager console .
2. Select 'Policies' tab.
3. Under 'View Policies', select 'Intrusion Prevention'.
4. Select Intrusion Prevention policy, and under 'Tasks' select 'Edit the Policy'.
5. Select 'Exceptions' tab. 
6. Click on 'Add...' button.
7. Search and select ID blocked.
8. Click on 'Next>>' button.
9. Change 'Action', from 'Block' to 'Allow'. Click on 'OK' button.
10. Check if the exception edited has been added to 'Intrusion Prevention Exceptions' list.
11. Click on 'OK' button for save changes in the Intrusion Prevention policy

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

pete_4u2002's picture

it looks like IPS signature have detected the vulnerability and becuase of the active response settngs the system is being blocked for 10 minutes (600 seconds).

Ajit Jha's picture

Are these notifications containg any SID? If yes follw the steps provided by ManishS. If not then Login to SEPM-->Policy-->Firewall Policy-->Protection and stealth--> Uncheck Automatically Block an attacker's IP Address.

Regard's

Ajit Jha

Technical Consultant

ASC & STS

.Brian's picture

What version of SEP is this? You can uncheck option in SEPM for users to be notified while still allowing IPS to function as needed:

 

-Clients page

-Select a group

-Policies tab

-Click + next to location specific settings

-Next to client user interface control settings select Tasks and Edit Settings

-Select Customize

-Set option as seen above

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

NMYoung's picture

Thank you all for your help.  I've followed Brian81's suggestion for now.  It appears to have worked and stopped the messages popping up.

However, to answer some of your questions we are using SEP 11.0.6005.562

An SID is generated but not all the time.  The IP addresses change too.  But all IPs are internal and have the latest SEP software installed. 

The last SID code that popped up before stopping them was 23179 OS Attack:MSRPC Server Service RPC CVE-2008-4250

Thanks again.

.Brian's picture

This signature is generally associated with the conficker worm:

https://www.symantec.com/security_response/attacks...

You'll want to scan those machines with the conficker removal tool found here:

https://www.symantec.com/security_response/writeup...

Also, make sure you apply the patches as well

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Cameron_W's picture

These new images, do they have up to date microsoft patches? My guess is that they do not. I would recommend running the Microsoft baseline security analyzer tool on these images to verify if you are missing any patches, specifically MS08-067, which downadup takes advantage of.

http://www.microsoft.com/en-us/download/details.as...

If I was able to help resolve your issue please mark my post as solution.

cus000's picture

You'll still need to check the source machine.... try re-run full scan on the machine and then reboot