Endpoint Protection

Hi Mikey what version of SEP are you using, better to upgrade to the latest version MPR4 MP2.

check ur defult firewall rules..........

check NTP logs.....and find out wich rule of firewall bloacking IT.......

Hi mikey,

you can try the following,

1) In the UI click View Logs.
2)Click on view logs corresponding to client management.
3)Click on security logs.
4)Here click the respective event notification that has occured and check from which ip it is blocking the traffic.

If it is a local ip in your lan then you should immediately disconnect that machine whose ip is shown over there and disconnect it from lan.

Also let us know the exact popup message that is showing in your notification area. If it is a "MS RPCSS Attack BO Detected" then you must check the disconnected machine from which the message is coming and deploy the MS08-067 patch of microsoft. you can get the MS patch from the following link.

www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

 Thanks to everyone who has responded.  The  popup notification basically is "Symantec Endpoint has blocked traffic from the following program: ntoskrnl.exe."  I'm in the military so I'm using the free DoD version of Endpoint Protection (see my original post for the version), which I thought was the most recent.  This is an "unmanaged" client so I haven't seen any options for group policies or anything like that.  When I go under "Network Threat Protection" and click "view logs" the following is the entry: 07-Sep-09 09:32:05 Blocked 10 Incoming UDP 192.168.1.104 00-19-7E-32-63-13 138 192.168.1.255 FF-FF-FF-FF-FF-FF 138 C:\Windows\system32\ntoskrnl.exe Michael McCain McCain-PC Default 1 07-Sep-09 09:31:04 07-Sep-09 09:31:04 GUI%GUICONFIG#SRULE@NBBLOCK#BLOCK-UDP.  When I backtrace it it comes up with my girlfriend's computer on the LAN (IP 192.168.1.104).  Her laptop is hooked up via wireless.  She is also running SEP and all scans are negative.  Is there something else going on that I need to change?

 Ntoskrnl.exe--is the file used for file and print sharing..

So all the computers in the network poll on the UDP port 137 ,138 to find computers near them.
So even if you are not using the remote computer for file sharing you might get this pop-up.
Since on Unmanaged computer the option for Browse File and Print sharing on the Network in unchecked ( turned off )
So you might be getting this pop-up.
So what you can do is 
Open SEP Interface-Under Network Threat Protection -Options-Change Settings-Microsoft Windows Networking-All network Adapters--Check both the boxes below then one by select all the adapters and make sure both the boxes are checked for all you Network adapters in the drop-down..

 Hi mikey,
  
have you tried the microsoft patch that i mentioned earlier? It looks like this message that you are getting is from Intrusion Prevention System. So you can deploy the patch and check, it may be caused due to a microsoft vulnerability.

I have similar problem. My network protection log shows that my unmanaged SEP11 blocks incoming direction, ethernet, address 0.0.0.0. What is the address 0.0.0.0?

same problem as mikenavy, above, same situation (also running unmanaged version 11.0)  Tons of error messages, lots of entries in threat protection log.  I've installed the patch and followed other advice in this forum .. any more ideas on how to make this annoyance go away?  I'm not a super-technie person so simple replies are most useful!  Thanks---

These occur about every 10 seconds or so all the time and are outgoing.  Here is the log entry:

11/1/2009 10:01:57 AM Blocked 3 Outgoing ETHERNET 0.0.0.0 00-1A-A0-51-33-FE 0 0.0.0.0 33-33-00-01-00-02 0  firstname.lastname DOMAIN Default 1 11/1/2009 10:01:39 AM 11/1/2009 10:01:39 AM GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_102

SEP version is 11.0.2000.1567 and is SEP configured as an unmanged client.

The computer is on a small home Windows domain behind a firewell connected to a cable modem.

A little research lead me to something to do with IPv6 but I couldn't figure out what is occurring and how to stop.  When I look at the ARP table the remote MAC does not appear (33-33-00-01-00-02)

This is the information that I am getting from Symantec Endpoint Protection 11: traffic from ip address 172.16.87.2 (the server) has been blocked from 10/30/2009 AM to 10/30/2009 PM an unsolicited incoming ARP reply detected this is a kind of MAC spoofing that could consequently harm your computer. I have recently installed SPICE Network management software. What could be the problem. I have a network but it is only happening to a few computers. Did a virus scan on both computes and serve but nothing has changed.  

I cannot get the bottom box to stay checked.  Any idea?

hi frnds....
i done everything mentioned about website blocking but still i am not able to block social networking sites.. made every setting in firewall as well as custom instrusion prevention but not getting the expected result.....

thanks