Endpoint Protection

Dear Sir/Madam,

I have recently created two clean workstation images on our network and I am receiving 'traffic from ip address xxx.xxx.xxx.xxx is blocked...' messages.

The ip addresses are those within our network range.  They only appear on the two workstations that we have created and not on any of the many other established networked workstations.

I have read some of the boards here but cannot figure out how to resolve the issue.

I just want to make sure we haven't got a serious problem.  Our SEP software is up to date, as are the workstations,

What would I need to do to prevent the messages from appearing without stopping the SEP from doing its job?

Any help would be greatly appreciated.

Hi,

Can you provide Snap shot off error ?

What sep version are you using ?

Intrusion Prevention Signature is automatically blocking an attacker’s IP address. It blocks network traffic from the attacker for a configurable duration (default 10 minutes)

To create an exception for Intrusion Prevention Policy to allow a specific ID:

1. Open Symantec Endpoint Protection Manager console .
2. Select 'Policies' tab.
3. Under 'View Policies', select 'Intrusion Prevention'.
4. Select Intrusion Prevention policy, and under 'Tasks' select 'Edit the Policy'.
5. Select 'Exceptions' tab. 
6. Click on 'Add...' button.
7. Search and select ID blocked.
8. Click on 'Next>>' button.
9. Change 'Action', from 'Block' to 'Allow'. Click on 'OK' button.
10. Check if the exception edited has been added to 'Intrusion Prevention Exceptions' list.
11. Click on 'OK' button for save changes in the Intrusion Prevention policy

it looks like IPS signature have detected the vulnerability and becuase of the active response settngs the system is being blocked for 10 minutes (600 seconds).

Are these notifications containg any SID? If yes follw the steps provided by ManishS. If not then Login to SEPM-->Policy-->Firewall Policy-->Protection and stealth--> Uncheck Automatically Block an attacker's IP Address.

What version of SEP is this? You can uncheck option in SEPM for users to be notified while still allowing IPS to function as needed:

-Clients page

-Select a group

-Policies tab

-Click + next to location specific settings

-Next to client user interface control settings select Tasks and Edit Settings

-Select Customize

-Set option as seen above

Thank you all for your help.  I've followed Brian81's suggestion for now.  It appears to have worked and stopped the messages popping up.

However, to answer some of your questions we are using SEP 11.0.6005.562

An SID is generated but not all the time.  The IP addresses change too.  But all IPs are internal and have the latest SEP software installed. 

The last SID code that popped up before stopping them was 23179 OS Attack:MSRPC Server Service RPC CVE-2008-4250

Thanks again.

This signature is generally associated with the conficker worm:

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23179

You'll want to scan those machines with the conficker removal tool found here:

https://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

Also, make sure you apply the patches as well

These new images, do they have up to date microsoft patches? My guess is that they do not. I would recommend running the Microsoft baseline security analyzer tool on these images to verify if you are missing any patches, specifically MS08-067, which downadup takes advantage of.

http://www.microsoft.com/en-us/download/details.aspx?id=7558

You'll still need to check the source machine.... try re-run full scan on the machine and then reboot