Endpoint Protection

 View Only

  • 1.  Constant "Traffic from IP address XXXXXXXX is blocked" message popping out (+1)

    Posted Jun 08, 2011 05:51 AM

    Hello,

    We're using SEP 11.6005.562 on our 2 PC. They share Internet access.

    SEP is well LiveUpdated

    As described in a january thread, with same object, we loose all internet access after a pop up saying "The incoming traffic from IP 86.69... is blocked from time to time+10 minutes. The service deny is logged"

    The external IP is always the same.

    Not only incoming traffic from this IP is blocked, but whole Internet access (web, pop etc.) for the 2 PC

    We scanned the PC with SEP, AntiMalwareBytes etc. with no problem detected.

    Is it possible to block the IP adress without loosing internet access for 10 minutes ?

    Is it possible to prevently block this IP adress so no warning will pop up ?

     

    Thanks for any help,

     

    Jean-Jacques


     



  • 2.  RE: Constant "Traffic from IP address XXXXXXXX is blocked" message popping out (+1)

    Broadcom Employee
    Posted Jun 08, 2011 06:27 AM

    Edited

    Hi,

    In the SEPM you can crate a firewall rule to block an attacker address or you can increase the default time limit 10 minutes.

    By default attacker IP address is blocked for 10 minutes. You can maximize this time through policies. Set it to maximum.

    I don't see any concern to create exception for single IP address becauase attackers are smart enough they will start with new IP address.

    Machine is receiving an attack means there must be some loophole in the system.

    Patch the system with all the system updates. Use all the SEP features i.e AV/AS, PTP & NTP with latest definitions.

    Check this article:

    http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

    Check this Link for all the Updates which needs to be installed.

    http://www.securityfocus.com/bid/31874/solution



  • 3.  RE: Constant "Traffic from IP address XXXXXXXX is blocked" message popping out (+1)

    Trusted Advisor
    Posted Jun 08, 2011 06:48 AM

    Hello,

    Intrusion Prevention Signature is automatically blocking an attacker’s IP address. It blocks network traffic from the attacker for a configurable duration (default 10 minutes)

    To create an exception for Intrusion Prevention Policy to allow a specific ID:

    1. Open Symantec Endpoint Protection Manager console .
    2. Select 'Policies' tab.
    3. Under 'View Policies', select 'Intrusion Prevention'.
    4. Select Intrusion Prevention policy, and under 'Tasks' select 'Edit the Policy'.
    5. Select 'Exceptions' tab. 
    6. Click on 'Add...' button.
    7. Search and select ID blocked.
    8. Click on 'Next>>' button.
    9. Change 'Action', from 'Block' to 'Allow'. Click on 'OK' button.
    10. Check if the exception edited has been added to 'Intrusion Prevention Exceptions' list.
    11. Click on 'OK' button for save changes in the Intrusion Prevention policy.

     

    I would also Request you to Upgrade the SEP from 11.0.6005 to 11.06300.

    If you are unable to update to RU6 MP3 at this time, the following workaround can be applied:

    1. On the SEPM, edit the existing firewall policy
    2. Choose Traffic and Stealth Settings
    3. Remove the check mark from "Enable Anti-MAC spoofing"