Endpoint Protection

 View Only
  • 1.  Traffic has been blocked from this application: (svchost.exe)

    Posted Mar 07, 2013 06:26 AM

    Hi 

    Having exacty the same issue as in the post (see the link), and using the same SEP (but not sure about the version I have 11 or 12) only on Win 7 Professional, I have read the following post (https://www-secure.symantec.com/connect/forums/traffic-has-been-blocked-svchostexe) which addresses my issue however I am not savvy enough to go and manage these alerts properly. For example, I am not even sure how to manage iphelper. As such, I need a complete step by step process to turn off the notifications without compromising my security. Please feel free to ask any questions that might help to remedy the situation.

    Thanks much in advance. 

     

     



  • 2.  RE: Traffic has been blocked from this application: (svchost.exe)

    Posted Mar 07, 2013 09:00 AM

    I assume this client is unmanaged?

    Do you want to turn off IPv6 or just the alerts?



  • 3.  RE: Traffic has been blocked from this application: (svchost.exe)

    Posted Mar 07, 2013 09:07 AM

    For turning of only the notifications have a look here at the presented screenshots from the SEPM console:

    https://www-secure.symantec.com/connect/forums/constant-notification-traffic-has-been-blocked-application-svchostexe



  • 4.  RE: Traffic has been blocked from this application: (svchost.exe)

    Trusted Advisor
    Posted Mar 07, 2013 09:17 AM

    Hello,

    To turn off the IPS notification:

    1. Login to SEPM
    2. Go to Clients page
    3. Select the Group you want to turn off the notification for
    4. Select Policies tab
    5. Click + sign next to Location-specific Settings
    6. Next to Client User Interface Control Settings select Tasks and Edit Settings
    7. Click Customize next to Server control
    8. Uncheck the box "Display Intrusion Prevention Notifications"

     

    Secondly check these Articles:

    How to Disable all Notifications in the Symantec Endpoint Protection Manager and Symantec Endpoint Protection Client (Managed and Unmanaged)

    http://www.symantec.com/docs/TECH93028

    How to Disable Client Intrusion Prevention Notifications in Symantec Endpoint Protection Manager (SEPM)

    http://www.symantec.com/docs/TECH105013

    Hope that helps!!



  • 5.  RE: Traffic has been blocked from this application: (svchost.exe)

    Posted Mar 07, 2013 09:23 AM

    Is the Notification comming on Vista or Windows 7 machines? If yes, follow the steps below:

    1. Turn off the iphelper service, set to manual. This stops the warning dialog from popping up.

    2. Open the Network and Sharing Center, click "Change adapter settings", select the adapter being used, right-click and select "Properties".
    Uncheck the box next to "Internet Protocol Version 6 (TCP/IPv6)".
    IPv6 is on by default in Vista/Win7.

    3. Restart machine.

     

    https://www-secure.symantec.com/connect/forums/traffic-has-been-blocked-application-svchostexe-0#comment-8375931



  • 6.  RE: Traffic has been blocked from this application: (svchost.exe)

    Posted Mar 07, 2013 10:41 AM
      |   view attached

    Thanks for your responses. I am on Windows 7 Professional. Now I am a bit lost here. I think it is unmanaged (although I would appreciate someone clarify the difference to me). The situation is that I have been using SEPM (for over 5 years) while I was in school and the tech guys there had been strongly recommending to stick with SEPM (listing all of the benefits of this antivirus vs. other products, and even Norton). So I got it. Now, I am very new, now that I look at various responses, to these things. 

    My goal is to run the machine I am using as secure as possible. Not to mention that I spend my time in Russia these days. However, lots of notifications appear without a good reason to do so. As mentioned in another thread (https://www-secure.symantec.com/connect/forums/endless-notifications-sep) I get them when I access my hard drive. I get them running the programs, utorrent is the example (and it is not malware). So I want to be able to do something with the program so that security does not suffer in any way while I get the notifications that really matter (such as lovely autorun that blocks/quarantines anything inappropriate or some other "real" network intrusions) and understand what is happening and how I could control this thing. Becasue every time I get those notifications I get freaked out that my PC got hacked. 

    So, @Manish/Brian I cannot turn off IPv6 (tired that before) because that disconnects my internet. As mentioned above, I do not know where iphelper service and therefore how I could set it to manual. 

    @ Mithun - I do not login to the SEPM, so I am not sure whether the steps applicable (if it is then I need to know where to go to login).  I will definitely check the articles as soon as I know we are on the same page with this. The goal is not to turn off notifications, but do so without messing up with security of my machine. In this regard, Disabling Client Intrusion Prevention Notifications turns them off completely, right?

    I have attached the sceen I see every time I open the program, so I need to know where to go from there if possible.  Please share your thoughts and ask relevant questions. 

    Thanks much in advance for your efforts.

     



  • 7.  RE: Traffic has been blocked from this application: (svchost.exe)

    Posted Mar 07, 2013 01:24 PM

    To check if it is managed, you can go to Help >> troubleshooting and it will tell you it is self managed or if it is managed by a SEPM it will tell you the SEPM IP address/hostname. Also, the client icon will have a green dot. But I'm guessing it is unmanaged.

    You can turn off the notification but you will never be notified and would need to check your logs in order to detect IPS/firewall activity.

    if you want to turn off the log open the client and click Options to the right of Network Threat Protection and select Change Settings. Than click on Notifications tab. Uncheck and click OK. That's it.

    If you want to disable the firewall rule, click Options next to NTP and select Configure Firewall Rules. The list of rules will come up and you can deselect the one pertaining to IPv6. Click OK once done and that should be it.

     



  • 8.  RE: Traffic has been blocked from this application: (svchost.exe)

    Posted Mar 07, 2013 03:15 PM

    I've had this notification problem forever (it seems since using SEP) on my work-at-home PC and it has been a constant nuisance.  Since finding Article:TECH165942, I was excited about it being a fix but it wasn't.  I don't want to shut notifications off since I'm no expert in log interpretation not should a user have to worry about such things.  Anyway, I deselected the IPv6 and that may have lessened the notifications but it's still a nuisance.  Shouldn't technical support be interested in elliminating false positives so users won't begin to hate the program and create degrading comments about the company and its products?

    AGM

     



  • 9.  RE: Traffic has been blocked from this application: (svchost.exe)

    Posted Mar 07, 2013 03:20 PM

    They're not necessarily false positives since they match a firewall rule. The problem is there is no way to configure alerts for individual rules. It is an all or nothing deal. This can be enhanced to allow for more granularity. But SEP is an enterprise product, not necessarily for home use although it is possible to use at home, it just takes some administering.