Video Screencast Help

trafic bloqué à partir de cette application: (svchost.exe). Résolu/solved

Created: 02 Aug 2013 • Updated: 05 Aug 2013 | 11 comments

Bonjour, 

J'ai à nouveau le message (via pop up) : 
==== 
symantec endpoint protection 
le trafic est bloqué à partir de cette application: (svchost.exe) 
==== 
1) je l'ai eu il y a quelques mois et supprimé en enlevant l'IPV6

2) il est revenu depuis quelques semaines

3) donc j'ai décidé de remettre l'IPV6!!!

Ma question : pourquoi ce message? et s'il n'est pas grave, au moins que faire pour ne plus le voir?

 

Merci

Operating Systems:

Comments 11 CommentsJump to latest comment

.Brian's picture

It could also be Windows Updates.

If you look in the Traffic at the time this is happening, what is the port and IP address?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

papoudu34's picture

Hi,

port is 3544 and ip teredo.ipv6.microsoft.com [94.245.121.253]

Here is what is recorded:

====

595810 02/08/2013 23:27:19 Bloqués 3 Sortant UDP teredo.ipv6.microsoft.com [94.245.121.253] 00-24-D4-51-E8-F0 3544 192.168.0.1 00-23-54-EF-57-31 49355 C:\Windows\System32\svchost.exe Papou Papou-PC Default 6 02/08/2013 23:26:18 02/08/2013 23:26:48 GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_103
====
thanks to your comments and help
greg12's picture

Teredo (UDP port 3544) is a IPv6 to IPv4 tunneling protocol. Unfortunately, the SEP 12.1 firewall is not able to decode this traffic, so Teredo and other IPv6 to IPv4 protocols will be blocked by default. See this KBA:

IPv6 support in Symantec Endpoint Protection 12.1

http://www.symantec.com/docs/TECH174897

If you check the default firewall rules at the SEPM console, you will find the teredo blocking rule as rule no. 2.

.Brian's picture

Do you have a managed or unmanaged client?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

papoudu34's picture

Can you tell me what do you call "a managed or unmanaged client"?

Thank you

.Brian's picture

Managed means your client is managed by a SEPM, unmanaged means it is not and just managed by you.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

You have 3 options:

1. Uncheck the rule blocking Teredo
2. Don't show notifications
3. Leave as is

If you were using a managed client, you could just configure this rule to block but not log

The unmanaged client has some limitations in that when you create a rule, it is automatically logged and you cannot stop it from not logging.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

papoudu34's picture

Thanks Brian,

I guess (for me) the best is to unchek the rule: how to do this?

Thank you for your help

.Brian's picture

Open SEP

Under Network Threat Protection click Options >> Configure Firewall Rules

You will see a list of rules and you can uncheck the one related to Block IPv6 pver IPv4 (Teredo)

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

.Brian's picture

Hi papoudu34,

please mark the post that helped as solved so it can benefit all other users as well.

Thanks and take care,
Brian

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.