Video Screencast Help

Traffic from IP is blocked

Created: 10 Mar 2011 • Updated: 16 Mar 2011 | 7 comments
This issue has been solved. See solution.

Hi guys,

 

One of my client's machines has the following message, not sure what is wrong, please advice.

                SYMANTEC ENDPOINT PROTECTION  -

                Traffic from IP address 192.168.1.151 is blocked from 3/8/2011 4:08:28 p.m. to 3/8/2011 4:18:28 p.m.

 

                Denial of service is logged

 

This machine is a Windows 7 32-bit workstation with Symantec Endpoint Protection 11.0.6 unmanaged client installed.  The client is trying to print from a printer through a port with pop-up but gets this message.  I have done some researches and tried to turn off the intrusion prevention but ends with the same result.

 

I have also tried the following suggested by Vikram on (http://www.symantec.com/connect/forums/endpoint-pr...) but it didn't work.

 

If it is a Unmanaged clients then
Open SEP-GUI
Network Threat Potection -Options- Change Settings - Intrusion Prevention -( Uncheck ) Enable Port scan detection .

or
Open SEP-GUI
Network Threat Potection -Options -Configure Firewall Rules
Add rule Allow all -Under Network add IP address from 192.18.0.1 to 192.168.255.254 (al routers IP address are within this )

 

Please let me know if anyone has experienced this and found a solution to this.

 

Thanks a lot

Comments 7 CommentsJump to latest comment

.Brian's picture

I would suggest upgrading to RU6 MP2. Had the same issue here and upgrading fixed it. I believe a change was made to up the threshold for what is determined to be a DoS.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Chetan Savade's picture

Hi,

Traffic from IP x.x.x.x. has been blocked means Symantec has detected an attack on your computer.  As per SEPM settings it's blocked for 10 minutes.
 
If you want you can increase or decrease time.
 
It is recommended to install all the Symantec features AV / PTP/ NTP with latest definitions.Always make sure that your computers are receiving definitions regularly.
 
You can upgrade your product to latest built.
 
You windows machines should have all the latest windows updates/Patches.
 
Disable Autorun.
 
Please follow best practice guide to handle virus issue.
 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mithun Sanghavi's picture

Hello,

Please Try this:

 

Step 1) Check the Security Logs under Client Management for Denial of Service Detections for the printer's IP address to confirm the issue. 

To resolve the issue you will need to disable Denial of Service detection within your Instrusion Prevention policy or you will need to add the printer's IP address in "Excluded Hosts."

To add the printer to "Excluded Hosts":

1.  Open your Intrusion Prevention Policy.

2.  Choose to Settings on the left. 

3.  Check the box for Enable excluded hosts and then click the Excluded Hosts... button.  

4.  Add the IP address of your printer and choose Okay.

 

REFERENCE:

Denial of service detected on Network Printers

http://www.symantec.com/business/support/index?pag...

 

OR

Also, try the following:

 

STEP 2) To create an exception for Intrusion Prevention Policy to allow a specific ID:

1. Open Symantec Endpoint Protection Manager console .
2. Select 'Policies' tab.
3. Under 'View Policies', select 'Intrusion Prevention'.
4. Select Intrusion Prevention policy, and under 'Tasks' select 'Edit the Policy'.
5. Select 'Exceptions' tab.
6. Click on 'Add...' button.
7. Search and select ID blocked.
8. Click on 'Next>>' button.
9. Change 'Action', from 'Block' to 'Allow'. Click on 'OK' button.
10. Check if the exception edited has been added to 'Intrusion Prevention Exceptions' list.
11. Click on 'OK' button for save changes in the Intrusion Prevention policy.

 

OR

 

STEP 3 ) Disable DoS detection:

  1.  Log-in to the Symantec Endpoint Protection Manager (SEPM)
  2. Click Policies then click Intrusion Prevention
  3. Edit the intrusion prevention policy that applies to the client in question
  4. Click Settings
  5. Remove the check-mark next to Enable denial of service detection

Once the policy is applied to the client the DoS detections (and associated Active Response if configured) should no longer occur.

Please note, this will completely disable DoS detection on the client. There is not currently a way to add an exclusion for DoS detection.

 

OR

 

STEP 4) Enabling Smart traffic filtering

http://www.symantec.com/business/support/index?pag...

 

OR

 

STEP 5) TRY uninstalling the Network Threat Protection and Application and Device Control by:

Going to Control Panel> from Add/Remove Programs > Highlight Symantec Endpoint Protection and Click on Modify.

Disable the Network Threat Protection and Application and Device Control

 

OR

 

STEP 6) Try Upgrading the Symantec Endpoint Protection 11.0.6 to 11.0.6200.

 

 

I am sure the first step would help you . However the other steps are just for incase.

Hope that might help you.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
heinemasterklm's picture

Thanks guys =D

 

I will test it out and get back to you guys when I try the above options.

ScottM 2's picture

Guess a few things like the Denial of service attack are hard coded and in the RU-6a build it was too sensitive. I believe this was listed in the MP-1 release notes. Probably related to this one:

 

Resolved a UDP flood attack false positive
Fix ID: 2058022
Symptom: After upgrading to Symantec Endpoint Protection 11.0 RU6, the client detects a UDP flood attack.
Solution: The UDP flood detection thresholds were modified to reduce the occurrence of false positive flood attacks.
heinemasterklm's picture

Hello all,

 

Thanks Mithun Sanghavi

 

Step 5 worked

 

STEP 5) TRY uninstalling the Network Threat Protection and Application and Device Control by:

Going to Control Panel> from Add/Remove Programs > Highlight Symantec Endpoint Protection and Click on Modify.

Disable the Network Threat Protection and Application and Device Control

 

I am still confused why the methods I used didn't do the trick, anyways, its all good...thanks a lot~

.Brian's picture

No need to uninstall NTP.

Just upgrade to the lastest version, RU6 MP2. You are less protected by not having NTP installed.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.