Endpoint Protection

 View Only

  • 1.  SEP blocking Web Services Discovery, should I allow?

    Posted Jun 13, 2018 09:27 PM

    Hi. I am having issues with annoying poupus coming up every few minuits, saying SEP blocked application "svchost.exe". I have been using this PC with SEP for little over an year now and I haven't had this popup come up until yesterday. The only thing I remember changing on that time was setting up a Dropbox share folder, which I assume is unrelated from the information I show below.

    I am on an unmanaged client.

     

    I checked the network threat protection logs, and has identified the notification is coming from an incoming traffic to port 3702, from an IPv6 address. The log tells me that the applied rule is Block Web Services discovery.

    Here is the exact log entry:

    2018/06/14 10:10:44    遮断しました    3    着信    UDP    FE80:0:0:0:6152:E281:F972:22C8    28-16-AD-21-2F-0F    64489    FF02:0:0:0:0:0:0:C    33-33-00-00-00-0C    3702    C:\Windows\System32\svchost.exe    LOCAL SERVICE    NT AUTHORITY    Default    4    2018/06/14 10:10:20    2018/06/14 10:10:25    Block Web Services Discovery    

    遮断しました = blocked, 着信 = inbound (I run on a  Japanese client. Sorry for the inconvenience)

     

    I looked through other forum posts, and have figured out I can change this particular firewall rule to allow traffic, but I don't know if this is safe to do. So I want some expert advice on the matter.

    I am currently supressing the popups by turning off Network Intrusion Alert but this is probably not ideal in the long term.



  • 2.  RE: SEP blocking Web Services Discovery, should I allow?

    Posted Jun 14, 2018 12:06 AM

    Is host machine (IPv6) is known machine from your your network ?

    if Yes, install SEP with latest updates  on machine and full scan for any  infection.

    if No, let it be blocked unless you get more information.



  • 3.  RE: SEP blocking Web Services Discovery, should I allow?

    Posted Jun 14, 2018 07:24 AM

    Is the request coming from an internal host? Or external?



  • 4.  RE: SEP blocking Web Services Discovery, should I allow?

    Posted Jun 15, 2018 01:08 AM

    No, I don't know what exactly this IP points to. I'm in a University's network so I'm not aware of what exactly is running in it.

    Looks like I should keep blocking this I guess.

     

    So, in that case I want to know if there is a way to suppress notifications only for this particular type of event (block Web Services Discovery).



  • 5.  RE: SEP blocking Web Services Discovery, should I allow?
    Best Answer

    Posted Jun 15, 2018 07:01 AM

    Just keep blocking it. If you turn off notifications then it applies to everything. You can't turn them off for specific rules.



  • 6.  RE: SEP blocking Web Services Discovery, should I allow?

    Posted Jun 15, 2018 07:28 AM

    If possible at firewall level block IPv6 of unknow machine  as hits won't reach to endpoint.



  • 7.  RE: SEP blocking Web Services Discovery, should I allow?

    Posted Jun 20, 2018 01:27 AM

    Thank you all for the support!

    I'll keep blocking this while suppressing the notifications as I have been doing.