Endpoint Protection

All,

I have tried various approaches from this site to stop the notification on Windows 7 home premium (SP1)

1.  Ran Malware recommended ( Malwarebytes Anti-Malware 1.75.0.1300 with a database updated to today) - detected ESPN tracking cookie and nothing else.

2.  Ran a full scan with Symantec EndPoint Protection  (12.1.2100.2093) - nothing. 

3.  Disabled Internet Protocol Version 6 (Tcp/IPv6) from both the LAN and the wireless network.

I could simply turn off all notifications but that leaves me vulnerable from a real attack... don't want to do this.

My question, hopefully answered in Chaplain Friendly language, is WHY is the notification happening and what can I do about it to make the problem stop, not the notification. 

Is this for an unmanaged client?

This could also be due to Windows Updates, it utilizes svchost.exe as well.

If unmanaged, options are pretty limited to either turning off the notification (less secure), allowing svchost (less secure as malware masquerades as this process name), or just dealing with it.

You can check the Traffic log to see exactly where the traffic is trying to go (what IP address?)

It is on my home computer provided by tne Navy - I run it myself so I am assuming it is unmanaged

It is always the same... and happens roughly every 7-10 minutes

7/23/2013

9:10:55 PM 

Blocked 

3 

Outgoing 

UDP 

239.255.255.250 

01-00-5E-7F-FF-FA 1900 192.168.1.100 78-45-C4-20-8D-AC 1900 

C:\Windows\System32\svchost.exe

LOCAL SERVICE NT AUTHORITY 

Default 18 

7/23/2013

9:09:45 PM 

7/23/2013

9:09:51 PM 

Block

UPnP

Discovery 

That is legitimate traffic for UPnP (network discovery)

You can disable if you want, follow the directions here:

http://windows.microsoft.com/en-us/windows-vista/enable-or-disable-network-discovery

There is no way to turn off alerting for specific firewall rules in unmanaged clients. You could just delete the Block UPnP rule as well, which will allow UPnP. But it is legit.

Can you tell me what network discovery does? 

Will it dramaticaly affect my normal (read internet, some espn streaming, Netflix) usage?

I have a home network (Desktop and Laptop) and a DVD player all going through the same router but, almost never share files from this computer.

It allows your computer to see (find) other computers and devices on your home network as well as allows those computers and devices to see your computer. Your normal Internet usage won't be affected. You just won't be able to share files, etc.

Turned it off, checked and under choose homegroup and sharing options, change advanced settings, now the bubble under the Network Discovery heading "Turn off network discovery" is checked.

I rebooted the computer and when I got back on, the error repeated and added another factor:

FF02:0:0:0:0:0:0:C 33-33-00-00-00-0C 

and

239.255.255.250 

7/23/2013 10:17:43 PM Blocked 3 Outgoing UDP FF02:0:0:0:0:0:0:C 33-33-00-00-00-0C 1900 FE80:0:0:0:5817:2DA7:F209:36A6 78-45-C4-20-8D-AC 1900 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 18 7/23/2013 10:16:50 PM 7/23/2013 10:16:56 PM Block UPnP Discovery 
7/23/2013 10:17:43 PM Blocked 3 Outgoing UDP 239.255.255.250 01-00-5E-7F-FF-FA 1900 192.168.1.100 78-45-C4-20-8D-AC 1900 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 18 7/23/2013 10:16:50 PM 7/23/2013 10:16:56 PM Block UPnP Discovery 
 

hi,

check this thread and Brian81 Comments will help you.

https://www-secure.symantec.com/connect/forums/svchostexe-traffic-has-been-blocked-sep-netowork-threat-protection#comment-8139281

That is still the rule for UPnP (network discovery). Is it still coming up now?

I believe EndPoints is blocking the access to scvhost.exe probably because of unmatched ip traffic (certificate is missing). The default setting is to allow only application traffic which is blocked

If you allow IP traffic (in the firewall tab of the Network Threat Protection Settings) you will unblock the access of an unmatched application; of course it carries a risk