Endpoint Protection

I have Mac users running Mac OS X, 10.5.8.  Until this morning there have been no issues with them access volumes on my Domain Controller/Endpoint Protection Manager server.  Now, everytime they try to connect, they get the following error on the server:

Traffic from IP Address 000.00.0.000 is blocked from 10/22/2009 3:09:553 pm to 10/22/2009 3:19:53 pm.  [SID: 21802] SMB Server Transaction Name BO Detected.

(The date/time stamp changes and is updated at each attempt to connect)

On the clients, they get the error message "The server may not exist or it is not operational at this time. Check the server name or IP address and your network connection and try again."  Then they get, "You cannot connect to this server because it cannot be found on the network.  Tray again later or try a different URL".

I could easily roll back, but that means this is going to be re-applied right away.  How do I enable the protection, but make exceptions for my Mac Users so they can connect to the shares/volumes?

Endpoint Protection Manager is version 11.0.1000.1375 and is running on a Windows 2003, SP1 Server.

HELP PLEASE!!! :)

Thank you!!

This is a known false positive. Symantec Support is asking users that are seeing this issue to open a case ASAP.

Best,
Thomas

Thanks.  I will certainly do that.  First, what is the best way to open a case, I've never actually had to do that yet.  Thanks

Thanks, the sooner Support can get your information, the sooner they can get a solution out to the public.

http://www.symantec.com/business/support/contact_techsupp_static.jsp

Best, Thomas

We have been working on this ALL DAY and finaly came up with the same conclusion.
we have been unchecking boxes in symantec for over an hour trying to find a way to get our mac smb file shares to work again.
What an agrivating day!
I am glad to know that we are not crazy at least.
We are on hold with symantec right now to report the problem.
 

Thanks for the prompt replies, I have submitted my case.

I have the same problem and I have found what is causing the issue. In the "Intrusion Exclusions" (under Internet Settings) there is an entry named "SMB Server Transaction name BO". I unchecked the check box next to this entry and I am now able to access my external hard drive - which is connect to a Windows based laptop - from my Mac laptop. My only concern now is whether or not my Windows laptop is safe? Any thoughts?

I just got off the phone with support and he had me created an exception within the Intrusion Detection Policy for SMB Traffic.  I'll be watching to see if there are more problems, but that has helped for now.  Thanks.

under policies you need to edit intrusion prevention and add an exception for the ID number 21802 SMB server transaction name BO

That may be what was posted above, but I figured I would post it anyway.
Our macs can now get to our pc file shares!

Smileyville - how do I get to this area (Intrusion Detecion Policy) within Norton?

What version of Norton are you running? BTW, this Forum is for SEP and SAV Enterprise users. The Norton community can be found here - http://community.norton.com/norton/

Best,
Thomas

Norton Internet Security (2009).

Where is the Internet Settings? Is this in the console?

I was posting about enpoint 11.0.4

The settings were in the managment console on the server.

Right, the policy settings were in the SEPM and it was under policies.  I had to create the exception for the SMB.

So, in Sepm, click on policies, Intrusion Detection, Double click on the listed policy, go to Exceptions, Add - look for the ID 21802, SMB Server Transaction Name BO.  Apply and ok out and then ensure that the client updated on my SEPM server so the policy was pushed.

Hope that helps and hope there is a better fix as I'm not sure if this is going to make us vulnerable.

Norton - please fix this...

On Oct 22, you broke my connection from my Mac to my PC shared folders.

As a workaround ...

I have EXCLUDED SMB Server Transaction Name BO ... does this put my pc at risk for a GENUINE intrusion? 

How 'bout you tell your customers what they REALLY should do - or is the workaround a permanent fix?

No, I would not consider the exception a permanent fix.  What we really need from customers with open cases is the following, presuming your technician has already gotten pertinent system information like OS/platform/etc:

- Packet capture info while the denial is occurring, then packet capture when it's allowed (NTP disabled).  Wireshark preferred.

- SEP logs showing denials.

- SEP Support Tool results from the server with SEP installed on it.

Upload this to your case and your tech should be able to take it from there.

sandra

This issue is related to the IPS signatures, not the SEP version, but the MR1 version you're using is coming up on 2 years old -- you should consider planning a migration up to a newer build soon.  Many performance improvements (as well as some security vulnerabilities identified and patched) since that build.

sandra

Yes, that was brought to my attention, until recently, I haven't had the resources on a server that can handle it as the location where it currently resides is pretty maxed.  I actually was part way through the install process on another machine which I will migrate to, but haven't had a chance to finish it.  I agree though this is a problem, and it was recommended that I upgrade but this still should be addressed as it wasn't a problem until the signatures were updated.  Thanks.

Allowing 21802 is working for the time being.

We just had one of these from an XP SP2 computer to a domain controller.   Do  I need to open a ticket since it's not a MAC computer?

You're welcome to open a case in order to provide the packet captures as described above.  However, updating content should resolve the issue.  I believe that the signature for this SID has been reverted for the time being.

sandra

great

Ok, Symantec fixed this ... THANK YOU ... and it all came packaged in an update ... hands-free.

But I must laugh at sandra.g's reply to my posting. 

a - I have NO IDEA what she is saying, apart from the first sentence.
b - my "tech should be able to take care of it" -- I have a tech? Where, here in my house, or at Symantec


:-)

You folks forget that your customers are mere mortals. 

You didn't know what I meant by packet capture? ;-)  In all seriousness, I meant your Symantec technician. The forums are a nice perk for users, but we ultimately need data to analyze when things like this occur, and you can't do that if you don't open a case with Support.

sandra