Endpoint Protection

Hi

I have a user is getting the error message traffic is blocked which prompting up by the SEP11 while doing the file transfer.
My user is in the unmanagged group while does not have the rules configure from the SEP11 Manager.

Now it is causing the trouble to my user, may I know what is the problem and how to cause this.

Meanwhile anyway to solve this too?

Thank you

do you mean unmanaged client, then you can configure on the client GUI side. Try disabling the NTP and see the files are transfeered. If yes, then you need to configure the rules accordingly.

But I didn't configure any rules on that pc how can my user's pc will block this?

Meanwhile I also just realize about this problem and my colleague has formatted her pc's.

I want to know how can this be happen without rhyme and reason.

Thank you

SEP unamanged comes with default set of rules. and it could be also becuase of windows firewall ( if it all services are enabled)!

to verify, disable SEP and see if the file transfer does happen.

This is because of some default configuration of SEP .As pete_4u2002 told uninstall NTP and try.If it works you may have to configure it.

Also in the NTP logs check which is the rule blocking the traffic.You may have modify this rule for allowing that traffic.

If possible can you please get the screenshot of the Error or the Pop that the user is getting on his screen. Traffic log will be helpful too. 

I hope I can print screen the error message but my colleague format the pc already. Until now I have number of users are using the unmangged but how come only that user is having this problem.

Sound like funny since that other users are working fine and no issue.

When you get the message traffic is blocked..
What is the exact message..
Is it blocked by any IP address?
it can be due to IPS blocking the attacker's IP address due to an attack.

It can be firewall blocking some files being accessed.
Firewall rule might be same on all computers and users but ..which site they access and what resource they access would be different hence firewall will act different for all users.

I didn't see the error message but from my colleague explains, it is from the SEP11 prompiting up a balloon.

From their analysis, the SEP11 not only block other IP but that pc itself IP also be blocked.

Because this is the unmagged SEP11, we don't create any rules for the users.

All are the default rules.

When you are getting this popup next time provide us a screen shot..

Check the traffic logs on the client and check what is getting blocked.

Hi Vikram

If not mistaken, I am geting the same error from this :

https://www-secure.symantec.com/connect/forums/endpoint-1106-false-denial-service-attacks-dns-servers

Do you have any idea of this? I just check that a lot of users are getting of this problems

Well first make sure which IP it is..is it local network IP or some public IP..

The PC is in my local area as the user complains the pc does not work and bring to the HQ for checking.

While checking my colleague found out this error and format the pc without informing me.

Alright..there might have been some downloader or Add-in which would have been calling some outside ip or would be trying to infect others..so it was getting these messages and it was getting blocked by other machines...however since it has been formatted...
Nothing much can be said and done about..but these balloons are not always False Positives they mean these computers or IP address requires attention !!

In my environment, if online the user need to have the access right. That pc we didn't assign the internet acces right and what my colleague did just the file transfer and at the end SEP11 block it.

For a machine to get infected you no more need a internet access..a file USB can be enough..but as i said as this machine has been formatted nothing can be said what actually was the issue..