Endpoint Protection

 View Only

  • 1.  Traffic from IP is blocked

    Posted Mar 10, 2011 03:44 PM

    Hi guys,

     

    One of my client's machines has the following message, not sure what is wrong, please advice.

                    SYMANTEC ENDPOINT PROTECTION  -

                    Traffic from IP address 192.168.1.151 is blocked from 3/8/2011 4:08:28 p.m. to 3/8/2011 4:18:28 p.m.

     

                    Denial of service is logged

     

    This machine is a Windows 7 32-bit workstation with Symantec Endpoint Protection 11.0.6 unmanaged client installed.  The client is trying to print from a printer through a port with pop-up but gets this message.  I have done some researches and tried to turn off the intrusion prevention but ends with the same result.

     

    I have also tried the following suggested by Vikram on (http://www.symantec.com/connect/forums/endpoint-protection-blocks-ip-my-router) but it didn't work.

     

    If it is a Unmanaged clients then
    Open SEP-GUI
    Network Threat Potection -Options- Change Settings - Intrusion Prevention -( Uncheck ) Enable Port scan detection .

    or
    Open SEP-GUI
    Network Threat Potection -Options -Configure Firewall Rules
    Add rule Allow all -Under Network add IP address from 192.18.0.1 to 192.168.255.254 (al routers IP address are within this )

     

    Please let me know if anyone has experienced this and found a solution to this.

     

    Thanks a lot



  • 2.  RE: Traffic from IP is blocked

    Posted Mar 10, 2011 03:59 PM

    I would suggest upgrading to RU6 MP2. Had the same issue here and upgrading fixed it. I believe a change was made to up the threshold for what is determined to be a DoS.



  • 3.  RE: Traffic from IP is blocked

    Broadcom Employee
    Posted Mar 11, 2011 12:50 AM

    Hi,

    Traffic from IP x.x.x.x. has been blocked means Symantec has detected an attack on your computer.  As per SEPM settings it's blocked for 10 minutes.
     
    If you want you can increase or decrease time.
     
    It is recommended to install all the Symantec features AV / PTP/ NTP with latest definitions.Always make sure that your computers are receiving definitions regularly.
     
    You can upgrade your product to latest built.
     
    You windows machines should have all the latest windows updates/Patches.
     
    Disable Autorun.
     
    Please follow best practice guide to handle virus issue.
     


  • 4.  RE: Traffic from IP is blocked
    Best Answer

    Trusted Advisor
    Posted Mar 11, 2011 04:58 AM

    Hello,

    Please Try this:

     

    Step 1) Check the Security Logs under Client Management for Denial of Service Detections for the printer's IP address to confirm the issue. 

    To resolve the issue you will need to disable Denial of Service detection within your Instrusion Prevention policy or you will need to add the printer's IP address in "Excluded Hosts."

    To add the printer to "Excluded Hosts":

    1.  Open your Intrusion Prevention Policy.

    2.  Choose to Settings on the left. 

    3.  Check the box for Enable excluded hosts and then click the Excluded Hosts... button.  

    4.  Add the IP address of your printer and choose Okay.

     

    REFERENCE:


    Denial of service detected on Network Printers

    http://www.symantec.com/business/support/index?page=content&id=TECH139213&actp=search&viewlocale=en_US&searchid=1299837538904

     

    OR

    Also, try the following:

     

    STEP 2) To create an exception for Intrusion Prevention Policy to allow a specific ID:

    1. Open Symantec Endpoint Protection Manager console .
    2. Select 'Policies' tab.
    3. Under 'View Policies', select 'Intrusion Prevention'.
    4. Select Intrusion Prevention policy, and under 'Tasks' select 'Edit the Policy'.
    5. Select 'Exceptions' tab.
    6. Click on 'Add...' button.
    7. Search and select ID blocked.
    8. Click on 'Next>>' button.
    9. Change 'Action', from 'Block' to 'Allow'. Click on 'OK' button.
    10. Check if the exception edited has been added to 'Intrusion Prevention Exceptions' list.
    11. Click on 'OK' button for save changes in the Intrusion Prevention policy.

     

    OR

     

    STEP 3 ) Disable DoS detection:

    1.  Log-in to the Symantec Endpoint Protection Manager (SEPM)
    2. Click Policies then click Intrusion Prevention
    3. Edit the intrusion prevention policy that applies to the client in question
    4. Click Settings
    5. Remove the check-mark next to Enable denial of service detection

    Once the policy is applied to the client the DoS detections (and associated Active Response if configured) should no longer occur.

    Please note, this will completely disable DoS detection on the client. There is not currently a way to add an exclusion for DoS detection.

     

    OR

     

    STEP 4) Enabling Smart traffic filtering

    http://www.symantec.com/business/support/index?page=content&id=HOWTO27095&actp=search&viewlocale=en_US&searchid=1299836661082

     

    OR

     

    STEP 5) TRY uninstalling the Network Threat Protection and Application and Device Control by:

    Going to Control Panel> from Add/Remove Programs > Highlight Symantec Endpoint Protection and Click on Modify.

    Disable the Network Threat Protection and Application and Device Control

     

    OR

     

    STEP 6) Try Upgrading the Symantec Endpoint Protection 11.0.6 to 11.0.6200.

     

     

    I am sure the first step would help you . However the other steps are just for incase.

    Hope that might help you.



  • 5.  RE: Traffic from IP is blocked

    Posted Mar 11, 2011 02:00 PM

    Thanks guys =D

     

    I will test it out and get back to you guys when I try the above options.



  • 6.  RE: Traffic from IP is blocked

    Posted Mar 11, 2011 02:09 PM

    Guess a few things like the Denial of service attack are hard coded and in the RU-6a build it was too sensitive. I believe this was listed in the MP-1 release notes. Probably related to this one:

     

    Resolved a UDP flood attack false positive
    Fix ID: 2058022
    Symptom: After upgrading to Symantec Endpoint Protection 11.0 RU6, the client detects a UDP flood attack.
    Solution: The UDP flood detection thresholds were modified to reduce the occurrence of false positive flood attacks.


  • 7.  RE: Traffic from IP is blocked

    Posted Mar 16, 2011 02:50 PM

    Hello all,

     

    Thanks Mithun Sanghavi

     

    Step 5 worked

     

    STEP 5) TRY uninstalling the Network Threat Protection and Application and Device Control by:

    Going to Control Panel> from Add/Remove Programs > Highlight Symantec Endpoint Protection and Click on Modify.

    Disable the Network Threat Protection and Application and Device Control

     

    I am still confused why the methods I used didn't do the trick, anyways, its all good...thanks a lot~



  • 8.  RE: Traffic from IP is blocked

    Posted Mar 16, 2011 03:10 PM

    No need to uninstall NTP.

    Just upgrade to the lastest version, RU6 MP2. You are less protected by not having NTP installed.