Endpoint Protection

For the last 2 days twice a day I have received this notification. What is odd is that the source is listed as my machine's IPaddress c-xxx-xxx-xxx-xxx.hsd1.nh.comcast.net.  This machine is an intel mac running OSX 10.5.8 - The application is /mach_kernel. The obvious implication is that I have somehow been infected and am attacking myself. That seems a bit odd. Has anyone seen this before?
-Thank you
Fred Iannelli

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=20081

I too have recently noticed this behavior. No scans find anything and I have the settings on my MacPro set very restrictively. Is there more information other than the attack signature? I had already found that online and was not helpful at all.

Prachand Kumar made the same mistake Norton seems to be making. He responded to the attack situation rather than Fred Lannelli's problem. I'm not an expert but it seems to me — also suffering these repeated attacks — that Norton is blocking the vulnerability TO the IP address in the results pane of the log details, not FROM. My guess is that our IPs aren't attacking us, it's Symantec's bad use of the English language.

Same exact thing has been happening to my computer. Been happening for a few weeks. Still nothing on what is causing it. It is also strange because we just bought and installed 7 new Macs here in the office. Mine is the only one that has been acting this way.

Did any major OS or MSOffice updates get pushed that day?

We are on OSX not on Windows. Any other solutions?

May we know the product you are using? Is it NIS for Mac ? or SEP for Windows ? or SCS for Windows ?
If we can have a screenshot that will be great.

As I checked the all the IPS released in August 2010 and found no modification done towards sid 20081.

Thanks

I'm using Norton Antivirus on a Mac Powerbook. 10.5.8. Here's a shot of the attack notification. Getting repeated attacks daily since Aug 4.

To resolve this I believe its best to ring up Symantec support and ask them to check it out.
The signature have not been modified for quite some time hence there might be something out there.

However as these incidents are geographically apart [and on different ISP too] the only common denominator seems its the OS X 10.5.8 only?

Thanks

Hi,

I'm having the same issue.  My Mac is 10.4.11.

This is extremely frustrating and I'm not sure whether I'm being hacked or the security software is having some issues.

But given I have never experienced this prior to Aug 24 (after a Symantec software update) I'm leaning towards the latter.

Please advise.  With thanks.

so there must be more to it than that.  I will eagerly await any suggestions...

So I have a fully Patched MAC, and fully Patched version of Norton AntiVirus 11.1.1(2)

And I am getting this a couple of times a day all portscan on the /mach_kernel and the ip address is 10.168.122.187.

There has to be an answer to this problem.

OSX 10.6.4

Samething has been seen on my machine running MAC-OS X 10.6.4 and Norton Antivirus 11.1.1 (2).

Please keep us updated with a resolution of this issue.

10.4.11

 

What happened in August?

I have seen this notification on three different machines running 10.5.8 with NAV 11.3 installed.  On my machine, NAV tells me I am the cause of the attack (see image.) I started seeing this error message in August.

Yeah, I get these a few times a day, too. Only when using a Comcast account, tho.  Doesn't happen elsewhere.  Same for others?

Please helpl!!!!!!  I would love to be sure this is a software/server issue, and not a genuine attempt.

Thx.

I experienced a similar (or the same) error today, except in my case the source was a windows 7 virtual machine running under vmware under my Mac.  My vmware machine has a different IP than the host MAC (10.6.4).

The Norton error message is attached as an image.

Before I received this message I received a pop up from VMWARE informing me that the virtual machine was trying to set the NIC to promiscuous mode (listening to all network traffic) - which I denied.  Sorry I did not save the exact message, and I can't find a log file.  To me this really points to something wrong with the windows 7 virtual machine.  The virtual machine is using McAfee; while my mac is using Norton.  I've run a virus scan on both the mac and the windows 7 machine with no virus found.

I'm just curious if anyone else who experienced this error was running a virtual machine?

A Portscan is someone trying to scan for open ports on your machine. This is probably not related.

I wanted to clarify that I have noticed three machines giving this error. (I sent an image with my previous post)  My machine tells me that I am attacking myself.....I am not sure about the exact message on the other two machines.

The other two machines do not and have not had Parallels or VMWARE on them....so I am beginning to think that that is not part of the problem.

I just started getting the same Portscan /mach_kernel pop-up.  I do have a VMWare Fusion session that was running Windows XP when I first got this message, but I just got it again and VMWare is not running.  I'm using NIS for Mac 11.1.1 (2) and have Norton 360 3.8.0.41 in the Windows XP VMWare session.  The Norton 360 scan of the XP session reveals no threats.

Interestingly, it says the attack came from 192.168.1.2 -- yet my router assigns addresses in the hundreds (e.g. 192.168.1.101) so I don't know where it came from.

I attached a capture of the popup--the same as for Andy S above except for the IP address.

 

MAC PRO OS 10.6.4 Snow leopard using Norton anti virus for Mac. What Do I do?

Hi folks,

I'm an engineer for the Mac security products here at Symantec. We're looking into the notifications for "MS SQL Stack BO" that people here are reporting. However, we're pretty confident this is just our Vulnerability Protection feature doing its job.

This attack & notification is for the "SQL Slammer" worm that came out a while ago. It's still seen occasionally in the wild, and we still block and report it when we detect it. Although it won't harm your Mac we still detect and report such attacks so that we can keep tabs on the Internet threat landscape.

Protecting you against threats that won't necessarily harm your Mac also makes sure that you don't visit Web sites or connect to PCs that are infected, because computers & Web sites that are infected are typically associated with criminal activity (such as stealing your identity). It's all about layers of security, and this feature is a very low level layer of security.

Thank you for looking into this Ryan...but I must admit, I'm a little confused.  SQL Slammer has been around since 2003 and I've been a Symantec client with the same opperating system for years.  I've only started receiving these notifications since August, 2010.

So, my question is: has Symantec not been blocking this worm up until August of this year (I have on average three Symantec block ups a day for this worm since August) or, when you upgraded your software, was there a bug?  The pop up also indicates that my own IP address is attacking my computer, but how is that possible if this worm doesn't impact Macs?

I used to provide technical support for a software company...a company much smaller than yours and if clients were complaining about an issue, responding over a month later, regardless of whether the complaint came in online or by phone, I can assure you that late a response would not fly.

I have other computers on my network (different IP addresses), so if there is an actual worm Vs. a glitch in your software, like I think there is, I actually need to know.  Thanks.

We've discovered during the testing of our next update that our last update to Vulnerability Protection introduced a bug where the source and IP address for some UDP vulnerabilities are reversed. This is likely why your computer's IP address is being listed as the source of the attack. We apologize for this bug. I can't say when it'll be fixed, but we definitely aware of it.

The increased activity for this worm is most likely nothing to be alarmed about, but probably indicates that your entire subnet is now being attacked more regularly. The Internet is very fragmented, and once an infected botnet discover a new subnet to attack they will bombard all the machines on that network until the botnet is taken down.

Also note that this forum is NOT a place to receive official technical support. While I apologize for the delay and the bug in the product, there are actually three different Symantec-run forums, not to mention discussion forums on external Mac-related Web sites that we also monitor. We just can't monitor them all. If you need a quick response you should contact Symantec support (http://www.symantec.com/support).

Ryan, thank you for the update.  Also, I was not aware this wasn't a support forum...my apologies.

I have been getting the same BLOCKS the last few days several time a day from the same number, pretty annoying. I'm hoping someone can let me know what this is all about.  I check my ISP and DNS and the numbers don't match.  See attached images of the activity.

I just started getting this pop up today. I'm not technically savvy, so I only hope all of this subnet attack stuff isn't going to reek havoc on my computer. I'll be back if I get it again from this point on.

So what happened? This trail goes quiet after 18 May. I'm using a Mac Pro running OS X 10.6.8 and in the last few days I'm also getting the Norton pop up saying "Vulnerability Blocked" and naming the Attack as "Portscan" and the Application as /mach_kernel. What is it? and is it dangerous? I'm not a tech head so plain English please if anyone can help! Screenshot below:

Yes Fred I too am getting this at least twice a day for about 5 days now - never before.  I have a MacBook Pro running OSX 10.6.8.  but I was using this last year when I can see so many other people were getting it.  I would be glad of an explanation and to know whether I need to do anything about it.  Has just happened again now - 3rd time this morning

And again - When I choose learn more about this attack I go to a symantec page which never connects http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=99991

Thanks

I just started getting this today and it's happening about every 3-5 minutes!  Very frustrating.  I also have a MacBook Pro running OSX 10.6.8.  I've been using the MAC since December 2010 without problems, but my other computers are PC and Norton has always worked well for me.  Now I can't even get a response from the little, magic computer guy ("Nathan") on the support site.  Apparently, "Nathan" doesn't know from MAC.  Why does Symantec market and sell software for MAC if they can't or don't support it?  Any help would be so very much appreciated.  Thanks.

 

Ryan

Thanks for responding.

I bought Norton Internet Security 4 for Mac as a download from Symantec in June. At the time I was running Mac OS X 10.6 (Snow Leopard) on my MacBook Pro and have since upgraded to 10.7.1 (Lion).

The repeated vulnerability warnings have continued in Lion - sometimes at the rate of once or twice a day, sometimes nothing comes up for days at a time. And this happens regardless of whether I am at home, at the office or on the road.

You ask about "false positives". I have no idea what that means.

I'm not using a Corporate Edition and I don't imagine a product downloaded directly from Symantec only 3 months ago (June 2011) could be considered an out-dated product and surely was configured to be compatible with Lion which was released only a month later.

As you point out, I can disable the notification but before I do that I need to know if this is a genuine vulnerability or a software problem.

So I'm still not sure what to do??

Sorry for being so dumb on this stuff.

TC

Hello Everyone & Ryan,

 

So glad I came across this thread. Ryan, since you seem to be the authority here, I'd like to give you as much information as possible on this continued problem. I have also been experiancing /mach_kernel Portscan detections.  I have been receiving detetions since 7/22/11.  The total Portscan Detections are now at 129 loged items, noted in the Activities log inside the norton software.  With an average of 3-6 detections per day.  I did notice a sharp decrease in notifications last week, and I did not alter any software specifications.

 

My software Specs are as follows:

 

Norton AntiVirus: Version 11.1.2 (17)

 

Mac OSX: Version 10.6.8

 

From my recolection, I had updated Lion shortly prior to this issue, possibly 2 weeks or less.  I do however remember the day it started to happen.  I watched a movie trailer on Apple.com, and really enjoyed a song from the trailer.  I Googled sites that offer information on movie trailer music, I cannot remember the website name i visited, but it was an unfamiliar site and the first one on the list. It of corse did not offer the information I wanted.  About 20 minutes after, I started to receive this detection block. I rarely visit websites that I am not familiar with, or trust. As well, I do not download any material from peer to peer sources. So my best guess is that It could have started from there.

 

Please review the attached file for more details.

 

Can issues like this start from visiting websites, persons capturing the IP address, and sending this portscans? Hopefully this information can help to assist everyone.  Where should we go from here?  Is there any other information that may be of use?

 

Thank you so very much!  Ohh, and on a wonderful note!  My software is obviously doing it's job, great work at making awesome software!

My father in law is visiting for the holidays, and since he logged on to a particular website (neh.gov), I just started receiving the same notification (about every 10 minutes): it was "blocked" from his PC; attack name = Portscan; appliation = mach_kernel;

He's connected to the internet, and doing some work for National Endowment for Humanities (hence the neh.gov)  -- possible they're infected?

I'm running Lion OS 10.7.2 on 3 of my four computers (other one is old iMac), with latest SEP 11 (US Army License) installed.

He's running Windows Vista on a three-year old (at least) Dell, with the latst McAfee version.

Thanks!