Video Screencast Help

Unsolicited incoming ARP message

Created: 02 Oct 2008 • Updated: 21 May 2010 | 12 comments
gwu's picture
This issue has been solved. See solution.

Currently, I have been receiving multiple pop-up bubble messages from Symantec Endpoint Protection saying "unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer."

 

What does this mean? Having I been visiting a "bad" website? As a result of this message, has SEP done or is doing something to prevent this "MAC spoofing" from harming my computer? If not, what should I do to prevent my computer from being harmed?

Comments 12 CommentsJump to latest comment

RAJP's picture

ARP requests can only come from a device that is on your local subnet, not the Internet. What other computers, printers, etc. are installed on your network?

 

MAC Spoofing means another computer is impersonating as yours. This will cause traffic destined for your computer to be routed to the other one. One common use is for an attacker to spoof a domain controller on a network. That way all requests to login will run through the attacker's computer first, allowing them to steal the user names and passwords. The attacker then passes them on to the real domain controller and no one is the wiser.

 

If it is a legitimate attack, it is very, very serious.  

 

Ray 

gwu's picture

i have a printer connected to my computer, but my wireless is connected to my university wireless network. how do i know if this is a "legitimate" attack?

 

from what you described, i would assume that the message is due to a problem with my university wireless network. is there anything in SEP or anything that i can do to prevent something like this from occuring?

 

thanks!

RAJP's picture

Many people don't know this, but when two computers (or devices) talk directly to each other it's done by MAC address not IP address. "directly to each other" means they are on the same network. It's called ARP or Address Resolution Protocol.

 

ARP is completely unauthenticated and can be faked. The only way this would be a real attack is if someone is intent on monitoring all of the traffic to your computer. Depending on what you do at the university (are you a regular student or perhaps a professor engaged in research worth some money) it's probably a false alarm. I would report it anyway just in case it is someone messing around.

 

There is absolutely no way you can prevent this. The only way to prevent it is to set a configuration on a switch usually called "port security" where the port is told to only accept traffic from a specific MAC address. I don't think that can work on a wireless network.

 

Ray

SOLUTION
danielkilburn's picture

I am now getting this MAC spoofing message. Only started after I had to go into Endpoint and reconfigure several things to quit getting an NT Kernal & System popup every 20 seconds.

Now I am getting the Mac Spoofing Unsolicited incoming ARP message.

On a side note my other AV software has cought a W32/Auto Run-QN worm at the same time Im getting the Mac Spoofing Unsolicited incoming ARP message.

Gotta wonder if Symantic is the problem.

"Life is either a daring adventure, or nothing at all."
Helen Keller

vern.zimm's picture

 I have a different set-up here, and I am having the same problems as above.  I have a domain server and several workstations on a wired network with Symantec Endpoint Protection v. 11.0.5.  I get this message often on different computers, usually from the IP address of that computer (to itself?).  Some of the computers were getting this message from the IP addresses of the printers (I excluded them, and now don't get their IPs anymore), but it seems more like a bug with Symantec rather than any sort of attack.

This problem seemed to have started recently when I did the upgrade to 11.0.5 (from 11.0.4xxx).  I was having none before that.  It seems harmless, but I would like to get a resolution to this issue on way or the other.

reedmohn's picture

We've also seen an increase lately.

It's always been there, but lately, some users have been completely diasabled because of it.

We've also suspected it is related to RU5.

Jeremy Dundon's picture

At this time there are 2 options for a workaround.

1. disable Anti-Mac spoofing

2. roll-back your clients to MR4MP2.

There is a product fix in the works, that does not have an ETA at this time.

reedmohn's picture

Thanks, Jeremy.
Do you know anything more about this now?

Oddly enough, I've visited this page several times before, but not seen your comment until now.

We have an open support call with Symantec on this, and the support engineers do not seem to know about this.
Is there any advisory or bulletin we could refer to that describes the situation?

vern.zimm's picture

 I disabled anti-mac address spoofing and haven't seen the problem since.  Any idea on the time frame for update?

reedmohn's picture

AFAIK, the fix will be incorporated into MR6

Jeremy Dundon's picture

Release notes for Symantec Endpoint Protection 11.0.x and Symantec Network Access Control 11.0.x

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216360648

    False positive detection when using NTP Anti-MAC spoofing feature
    Fix ID: 1864844
    Symptom: With NTP anti mac spoofing enabled on newer versions of windows, a false-positive detection periodically blocks the gateway. This interrupts internet/wan connectivity for clients.
    Solution: Correctly translate 64-bit time format which was causing the issue