Endpoint Protection

We are now in the process of rolling out the latest version of Symantec Endpoint Protection (11.0.6). Part of this process involves the IT staff (i.e.- me and my co-workers) installing it on our company-owned laptops. I completed this upgrade a few days ago (from 11.0.5). 

When I am navigating on the internet, Endpoint is reporting a DoS attack from my ISPs DNS servers and it's cutting off my internet access. I had to turn off Network Threat protection because of this problem. 

I'm not sure what's going on, but I need to determine how to fix it ASAP.

Anyone had this problem or know how to fix it?

I have not heard of this. What is the SID of the IPS detection?

I posted the same issues 2 weeks ago. I have a case open with Symantec.

https://www-secure.symantec.com/connect/forums/sepv11-dos-ips-logs-after-upgrading-clients-ru6

The work around is to use the host exclusion which solved our internal DNS issue but users at home started having issues with their gateway/router since it acts as a dns server/forwarder. I had to turn off DoS detection for the home location.

Sorry, what's what? 

Go to Monitors > Logs. Check Network Threat Protection for a list of Attacks.
User's PCs will also have a pop-up on during the attack stating the SID.
You can view the listing of the SIDs in the Intrusion Prevention part of the Policy page, under excemption.

This is not a IPS policy with a SID.

Have seen the same on one computer (RU6), ended up turning off Dos.

That's the message I get from Symantec while browsing the web. That IP is one of Comcast's DNS servers.

So is this happening to all your RU6 clients? I'm scheduled to upgrade Friday and are a little nervous now.....

I put this on my Windows 7 laptop. I have not installed it on my Windows 7 desktop because of the trouble I have had with it on my laptop. It's on my Media PC (XP Pro) as well as a test and so far so good. XP Pro seems unaffected. I can't replicate this error there.

We have been running 11.0.5 on 600 Win XP Pro stations with no issues. I upgraded our server/clients to 11.0.6 yesterday and I am getting DOS false hits on our DNS server as well and had to add an exclusion. For those of you with an open case please post a resolution when they have one.

Thank you.

I wonder what the connection is, then. I put 11.0.6 on my XP Pro machine as a test and it's running fine. Strange.

That post should have been underneath John Zolnowski's post and I can't figure out how to move it.

If I can get a system with this issue I will put a sniffer on the box to look at what's going on. RU6 made changes to the firewall/IPS because I've had other strange issues as well.

I also had this problem at home on two of my Desktops

Windows 7 64-bit with SEP 11.0.6000 (unmanaged)
Windows 7 32-bit with SEP 11.0.6000 (unmanaged)
Both have all features installed.
Blocks Comcast's DNS servers.
Firewall rules to allow all traffic to/from the DNS addresses didn't make a difference.

I have NTP uninstalled for now, since I haven't had time to troubleshoot it yet.

Ryan,

Your the first Symantec Employee/support person that has experienced this issue to date as far as I know. Please install wireshark or a similar packet capture software and post the results. I can help you read the output from the capture if needed. This is critical for SEP customers. I only have a 100 systems in pilot mode but this would have been a major issue if it was rolled out to 50,000 clients.

What happens if you turn off DoS protection ?

Would you advise turning it off before upgrading to RU6a?

I would advise you to use a host exclusion list of your DNS servers or disable the feature. The active response time is the main issue. If you have it set for 10 minutes and the DoS gets triggered it stops communicating with the DNS server for 10 minutes

Right now, I have it turned on but not blocking for any period of time

Also, if I just upgrade SEPMs and leave the clients on RU5 until I can get a test group in place for RU6, i think I should be fine?

It appears you will be find upgrading the SEPM to RU6 and leaving the clients at RU5. We didnt start seeing this issue until the client had RU6 installed.

Ok, so I feel a little better. I can at least get an exclusion list and then roll out RU6 to a test group.

Has Symantec come back to you with anything on this yet?

That's exactly my situation. Windows 7 64-bit, unmanaged, on a Comcast cable internet connection. I also created Firewall rules and got no help.

I think I'm going to roll back to 11.0.5 if it isn't resolved soon. I like leaving NTP on.

Started upgrades in the office.  Same issues coming up.  Using OpenDNS and they are getting picked up as UDP flood attacks.  WTF?

Adding your DNS servers to the excluded hosts OR unchecking "Denial of Service Protection" does seem to fix it.  According to the Symantec tech I spoke with the IPS signatures apply differently to machines with RU6 vs earlier and their fix should be released in a new IPS signature update "in the next few days"

Rich,

thanks for the update!

Denial of Service is a built-in technology for IPS.  It incorporates several different "denial of service" detections.  (I know of Jolt2 and UDP flood but I'm sure there are others.)  The "Denial of Service" feature is not managed by a signature.  It even says so right in the description. 

"Identifies known attacks based on multiple packets regardless of port number or type of Internet Protocol (IP), which is a limitation of signature based Intrusion Detection and Prevention Systems."

In other words, it's a built-in technology designed to look for specific packet information.  (Fragmented packets, udp packets, etc.)  I've asked before and as far as i know, you can't disable any individual type of denial of service detection within the product so how exactly would they fix this with an IPS signature update?  These detections aren't managed by signatures.  My guess is that a "fix" would require an update to the product. 

We've been running RU5 WITH those similar issues............ no worsening under RU6 so far.
RU5 gave us constant falst positives.

Until Symantec comes up with a better solution, we have learned that DNS prefetching in most browsers is what passes the UDP threshold (reportedly set to 15 packets\second).  This is a good temporary\permanent solution that can also give your DNS servers a little rest and relaxation.

I was thinking the same thing, but I hope I'm wrong.

Unfortunately, won't be able to test, as I removed the Network Threat Protection as I got tired of Windows and Symantec yelling at me for not having it turned on.

Any update on this yet?

This is still an ongoing issue. I believe I have actually connected it to the Chrome browser. IE seems unaffected. But when I open Chrome, whether it be on Windows XP or Windows 7, Symantec pops up right away and blocks the DNS server.

What I want to know is, where is the update that's supposed to fix this?

A couple of other SEP 11 RU6 users have also seen and reported this, so Symantec is looking into it. 

The Denial of Service detection type "UDP Flood Attack" is a new feature added in SEP 11 RU6.  The criteria for triggering this detection will be refined and improved in a future release of SEP.

In the meantime.... if you are 100% convinced that this is a false positive, you can add the IP addresses of DNS servers to the Intrusion Prevention policy Excluded Hosts list.  When the release of SEP which contains the improvement is released, I recommend removing the DNS server's IP!

Thanks and best regards,

Mick

Mick, can you provide a ballpark timeframe on a fix to this problem? For example, will the fix be included in a new IPS definition (days to a week) or require a new release of RU6a (weeks, months).

It is very hard to exclude the DNS-servers IP-adress because it often happens to people when they take they work computer home and connects through their home router, so then we need to disable the function because all have diffrent IP-setups at home and diffrent DNS-servers from their ISP.

I've basically shelved the 11.0.6 upgrade of my clients due to this problem. I too would like to see an ETA.
To exclude the DNS servers for for my laptop users across the country with dozens of ISPs is reasonable.

This is a major problem with one laptop that had RU6a we have when used on the user’s home network (can’t access any websites). We tried uninstalling and putting MR5 on, but had issues with the SEP client communicating properly with the management servers. We even used CleanWipe and then installed MR5 again. The SEP client thinks it is offline even thought the management server thinks it is online and won’t report back that it has any definitions or preformed any scans. Until Symantec corrects this problem our plan to upgrade our laptops are on hold. We aren’t seeing an issue with our desktops and they upgraded fine. Symantec can you give us an ETA (e.g. days, weeks, months) and whether this problem will be fixed with a new IPS definition or release of the product?

I wonder if he might have meant he suggested inhouse that the software automatically removed the DNS server's IPs from the list of what it is watching. Otherwise, yeah it isn't going to be very practical for people to set DNS IPs as excluded themselves as the average person isnt going to know how to setup an exclusion or what their DNS server's IP is. Even for those that do know, that would be a pain if everytime you go somewhere you have to manually reconfigure SEP so that you can get online

Hello all,

This issue is a known issue and is described in detail in the following article. Symantec is currently investigating the best way to resolve it.

Title: 'Symantec Endpoint Protection client Release Update 6 is detecting a Denial of Service attack of type "UDP Flood Attack" from your DNS server.'
Document ID: 2010050107362048
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010050107362048?Open&seg=ent

Workarounds for the issue are described in the document.

Regards,
James

After updating to RU6 I have been having the same problem. I keep losing my connection because it keeps saying that my home IPs are DDOSing me. Initially I found out why I was losing connection by disabling Endpoint. Then I started disabling stuff to see if I could go around what was stopping my internet.

It's nice to see that this can't get fixed in over a month...

The KB article that is referenced above has not been updated since 5.28.10.  Last post on this forum was about the same time.  Any fixes out there?  New customer and ran into this issue with the first pilot users.  Remove the rule already Symantec or give us an option to increase the threshold.

The issue would be fixed in the next release of SEP

When can we expect the next release then?

Next Release as in SEP 12 or SEP 11 RU7?

How is this accomplished if you lock down the users' abilty to make changes?

Thanks!

The release of SEP which contains the fix for this issue is now available.  https://www-secure.symantec.com/connect/forums/sep-ru6-mp1-released 

One of the approx. 80 enhancements and improvements of this new release:

An unexpected UDP flood attack is reported after upgrading to RU6
Fix ID: 2038207
Symptom: An unexpected UDP flood attack is reported after upgrading to RU6, and blocks what appears to be a legitimate internal DNS server.
Solution: Symantec Endpoint Protection client was updated to verify that the DNS response packet comes from a valid DNS server.

Full details of the changes in MP1 can be found at http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216360648 - all SEP customers are encouraged to upgrade to this latest release!

Thanks and best regards,

Mick

thanks for the update man,

but where is the updated files located ?

in my FileConnect i can only see the older file of: Symantec_Endpoint_Protection_11.0.6A_Xplat_EN_DVD.zip                
 

OK, so internal DNS issue are resolved in MP6 MP1, what about users' home routers causing this issue? How can we allow users to add their home systems as an exclusion?

For employees with laptops they bring to their home network, I suggest creating a separate set of policies that will be applied using location awareness.

yes, that is true, I strongly recommend everyone to download and deploy the SEP 11 MR 6 MP1 or (11.0.6100.645) since it is performing very well. No more 100% cpu scan and no more false positives in the DDoS at your home anymore :-)