Video Screencast Help

Unable to print to a specific printer due to Denial of Service

Created: 09 Dec 2010 • Updated: 09 Dec 2010 | 10 comments
This issue has been solved. See solution.

We have several users who cannot print to a specific printer, when attempting to do so they recieve the following alert:

Symantec EndPoint Protection

Traffic from IP address xxx.xxx.xxx.xxx is blocked from 09/12/2010 10:00:16 to 09/12/2010 10:10:16

Denial of Service logged.

I can print to the same printer from a different location without issue.

No matter how many times the users try they always get a message similar to the above.

Any ideas on why this is happening and how to resolve it?

Clients system is Windows XP - SEP client and SEPM are version 11 RU6a

Cheers

Mike

Comments 10 CommentsJump to latest comment

Rafeeq's picture

the IPs is blocking it

open sepm

policies

intrusion prevenint policy

under the exclude list, exclude your printer.IP

 

https://www-secure.symantec.com/connect/forums/ips-dos-when-adding-remote-printer

SOLUTION
mthorpe's picture

Rafeeq,

Thank you for the above, i'll give it a try now... however, can you advise why this is only happening on a specific printer?

Rafeeq's picture

it depends on how data is sent or received; most of the times its considered as UDP flood or DOS, its signature matching thats it :)

Pawel Lakomski's picture

That's the dark side of behaviuoral detections :)

--

Cheers,

Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator

 

mthorpe's picture

How do I add the IP address in, i've just a long list of preset options...?

mthorpe's picture

actually.. just found it... I have to create a host group first... ta

BNH's picture

I believe this issue was fixed in RU6 MP1 build of SEP.

An unexpected UDP flood attack is reported after upgrading to RU6
Fix ID:
 2038207
Symptom: An unexpected UDP flood attack is reported after upgrading to RU6, and blocks what appears to be a legitimate internal DNS server.
Solution: Symantec Endpoint Protection client was updated to verify that the DNS response packet comes from a valid DNS server.

-- Got new virus ? Try update your defs here : ftp://ftp.symantec.com/AVDEFS/norton_antivirus/rap... --

mthorpe's picture

BNH,

Is that the same issue? our DNS servers are/were not being blocked, just a single printer - possibly something is configured on it to communicate unexpectedly.

BNH's picture

Looks like Brian81 is more on the spot.

We had a few issue of DoS detection in our product and I remember they were fixed, but unsure on which build :)

Apology for the earlier reply.

-- Got new virus ? Try update your defs here : ftp://ftp.symantec.com/AVDEFS/norton_antivirus/rap... --

.Brian's picture

This is resolved in RU6 MP2 per the release notes:

Resolved a UDP flood attack false positive
Fix ID: 2058022
Symptom: After upgrading to Symantec Endpoint Protection 11.0 RU6, the client detects a UDP flood attack.
Solution: The UDP flood detection thresholds were modified to reduce the occurrence of false positive flood attacks.
 
You will need to upgrade. I had the exact same issue with a printer and upgrading fixed it.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.