Video Screencast Help

UDP Flood Attack false positive

Created: 12 Apr 2012 | 2 comments

Symantec keeps blocking traffic from the IP of my Comcast SMC Network gateway. It blocks traffic because it is detecting a UDP Flood Attack. According to the log the CPU usage is spiking to 100% when this attack occurs but Im not seeing this spike in the performance monitor. Symantec also detects a UDP Flood Attack when I am connected to my home network from what I assume is my home modem.

Is this a legitimate attack or a false positive? What could I do to stop the attacks?

Comments 2 CommentsJump to latest comment

Mithun Sanghavi's picture


Could you please let us know the SEP version you are carrying? Is that SEP SBE 12.0 OR SEP SBE 12.1?

Is the SEP client Installed on the machine an Managed SEP client or Unmanaged?

Could you please provide us a screenshot of the issue?

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi JohnnyCK,

Screenshot & NTP logs will definitely help to troubleshoot this issue in right direction.

If it's your known network device then it might be false positive, again screenshot and logs may help in better way.

However, go through some additional tips:

It is recommended to install all the Symantec features AV / PTP/ NTP with latest definitions.Always make sure that your computers are receiving definitions regularly.

You can upgrade your product to latest built i.e SEP 12.1 RU1 (in case of Small Business it's SBE 12.1 RU1)

You windows machines should have all the latest windows updates /Patches.

Disable Autorun if you are using SEP 11.x

Please follow best practice guide to handle virus issue.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<