Endpoint Protection

Hi, I'm getting notifications every few minutes that traffic has been blocked for svchost.exe

I'm running symantec endpoint protection version 11.0.6100.645 on windows 7 home premium 64 bit, unmanaged.

I have searched the forums and found others with very similar issues, although I have been unable to find a resolution.

I will try to provide any information that is needed.  I would like to solve this problem and help anyone else having the same problem.

I saw in another thread that someone thought a homegroup could be the culprit, but there is no homegroup setup on my pc.  I verified this right before typing by checking the network and sharing center.

From my network threat protection traffic log (this pattern happens every couple minutes):

1/1/2011 11:39:11 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-01-00-02    0    0.0.0.0    00-22-B0-6E-B1-F0    0        Steven    SoederFTW    Default    1    1/1/2011 11:38:09 PM    1/1/2011 11:38:09 PM    Block IPv6 (Ethernet type 0x86dd)    
1/1/2011 11:38:40 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-01-00-02    0    0.0.0.0    00-22-B0-6E-B1-F0    0        Steven    SoederFTW    Default    1    1/1/2011 11:37:39 PM    1/1/2011 11:37:39 PM    Block IPv6 (Ethernet type 0x86dd)    
1/1/2011 11:38:25 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-01-00-02    0    0.0.0.0    00-22-B0-6E-B1-F0    0        Steven    SoederFTW    Default    1    1/1/2011 11:37:23 PM    1/1/2011 11:37:23 PM    Block IPv6 (Ethernet type 0x86dd)    
1/1/2011 11:38:14 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-01-00-02    0    0.0.0.0    00-22-B0-6E-B1-F0    0        Steven    SoederFTW    Default    1    1/1/2011 11:37:13 PM    1/1/2011 11:37:13 PM    Block IPv6 (Ethernet type 0x86dd)    
1/1/2011 11:38:09 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-01-00-02    0    0.0.0.0    00-22-B0-6E-B1-F0    0        Steven    SoederFTW    Default    1    1/1/2011 11:37:08 PM    1/1/2011 11:37:08 PM    Block IPv6 (Ethernet type 0x86dd)    
1/1/2011 11:38:09 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-01-00-02    0    0.0.0.0    00-22-B0-6E-B1-F0    0        Steven    SoederFTW    Default    1    1/1/2011 11:37:08 PM    1/1/2011 11:37:08 PM    Block IPv6 (Ethernet type 0x86dd)    
1/1/2011 11:38:09 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-01-00-02    0    0.0.0.0    00-22-B0-6E-B1-F0    0        Steven    SoederFTW    Default    1    1/1/2011 11:37:08 PM    1/1/2011 11:37:08 PM    Block IPv6 (Ethernet type 0x86dd)    
1/1/2011 11:36:38 PM    Allowed    10    Incoming    UDP    192.168.1.2    00-1F-3B-32-11-C5    137    192.168.1.255    FF-FF-FF-FF-FF-FF    137    C:\Windows\system32\ntoskrnl.exe    Steven    SoederFTW    Default    9    1/1/2011 11:35:36 PM    1/1/2011 11:36:22 PM    Allows NetBIOS UDP protocols in LAN subnet    
1/1/2011 11:35:41 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-00-00-0C    0    0.0.0.0    00-22-B0-6E-B1-F0    0        Steven    SoederFTW    Default    1    1/1/2011 11:34:40 PM    1/1/2011 11:34:40 PM    Block IPv6 (Ethernet type 0x86dd)    
1/1/2011 11:35:41 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-00-00-0C    0    0.0.0.0    00-22-B0-6E-B1-F0    0        Steven    SoederFTW    Default    1    1/1/2011 11:34:40 PM    1/1/2011 11:34:40 PM    Block IPv6 (Ethernet type 0x86dd)    
1/1/2011 11:35:41 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-00-00-0C    0    0.0.0.0    00-22-B0-6E-B1-F0    0        Steven    SoederFTW    Default    1    1/1/2011 11:34:40 PM    1/1/2011 11:34:40 PM    Block IPv6 (Ethernet type 0x86dd)    
1/1/2011 11:35:41 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-00-00-0C    0    0.0.0.0    00-22-B0-6E-B1-F0    0        Steven    SoederFTW    Default    1    1/1/2011 11:34:40 PM    1/1/2011 11:34:40 PM    Block IPv6 (Ethernet type 0x86dd)    
1/1/2011 11:35:36 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-00-00-0C    0    0.0.0.0    00-22-B0-6E-B1-F0    0        Steven    SoederFTW    Default    1    1/1/2011 11:34:35 PM    1/1/2011 11:34:35 PM    Block IPv6 (Ethernet type 0x86dd)    
1/1/2011 11:35:36 PM    Blocked    3    Outgoing    IPv6 [type=0x86DD]    0.0.0.0    33-33-00-00-00-0C    0    0.0.0.0    00-22-B0-6E-B1-F0    0        Steven    SoederFTW    Default    1    1/1/2011 11:34:35 PM    1/1/2011 11:34:35 PM    Block IPv6 (Ethernet type 0x86dd)   

Also, in another forum post i was reading it was suggested to run a tasklist /svc to see what services are running....so I did that as well and here are the results:

Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
smss.exe                       292 N/A
csrss.exe                      380 N/A
wininit.exe                    448 N/A
csrss.exe                      460 N/A
services.exe                   508 N/A
winlogon.exe                   532 N/A
lsass.exe                      552 KeyIso, SamSs
lsm.exe                        568 N/A
svchost.exe                    680 DcomLaunch, PlugPlay, Power
svchost.exe                    760 RpcEptMapper, RpcSs
svchost.exe                    856 AudioSrv, Dhcp, eventlog,
                                   HomeGroupProvider, lmhosts, wscsvc
svchost.exe                    888 AudioEndpointBuilder, hidserv, Netman,
                                   PcaSvc, SysMain, TrkWks, UxSms,
                                   WdiSystemHost, Wlansvc
svchost.exe                    916 AeLookupSvc, Appinfo, BITS, EapHost, gpsvc,
                                   IKEEXT, iphlpsvc, LanmanServer, MMCSS,
                                   ProfSvc, Schedule, SENS, ShellHWDetection,
                                   Themes, Winmgmt, wuauserv
svchost.exe                    308 EventSystem, fdPHost, netprofm, nsi,
                                   WdiServiceHost
Smc.exe                        440 SmcService
svchost.exe                   1068 CryptSvc, Dnscache, LanmanWorkstation,
                                   NlaSvc
ccSvcHst.exe                  1168 ccEvtMgr, ccSetMgr
spoolsv.exe                   1488 Spooler
svchost.exe                   1524 BFE, DPS, MpsSvc
Rtvscan.exe                   1740 Symantec AntiVirus
svchost.exe                   1860 PolicyAgent
taskhost.exe                  2212 N/A
dwm.exe                       2264 N/A
explorer.exe                  2316 N/A
SmcGui.exe                    2344 N/A
uTorrent.exe                  2652 N/A
ProtectionUtilSurrogate.e     2780 N/A
ccApp.exe                     2976 N/A
SearchIndexer.exe             1316 WSearch
wmpnetwk.exe                  2560 WMPNetworkSvc
svchost.exe                   2704 FDResPub, SSDPSRV
firefox.exe                    908 N/A
plugin-container.exe          2180 N/A
sppsvc.exe                    3188 sppsvc
msiexec.exe                   2564 msiserver
Setup.exe                     3864 N/A
Setup.exe                     3664 N/A
msiexec.exe                   3668 N/A
msiexec.exe                   3724 N/A
SymCorpUI.exe                 3336 N/A
audiodg.exe                   3316 N/A
WmiPrvSE.exe                  1088 N/A
cmd.exe                       3916 N/A
conhost.exe                   3976 N/A
tasklist.exe                  3908 N/A
 

IPv6 is being blocked, which is one of the default rules in the firewall.

You can turn off IPv6 on your machine if it is not being used (I doubt it is) or if it is, you can turn off logging on this rule.

I see utorrent.exe running, you may have malware running on this system.

http://www.threatexpert.com/report.aspx?md5=7e235433a3ae8d11b9e8e1a3a688888b

Make sure you have the latest definitions and run a full scan in safe-mode.

If that fails to detect and remove the threats,

there are useful some tools that are provided by Symantec for help with finding those hard to detect threats.

1.       The Power Eraser Tool eliminates deeply embedded and difficult to remove threats that traditional virus scanning doesn't always detect.

2. The SERT (Symantec Endpoint Recovery Tool)is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively.

3. The Load point Analysis Tool generates a detailed report of the programs loaded on your system. It is helpful in listing common loadpoints where threats can live.

Rapid Release Virus Definitions –

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

Power Eraser tool –

http://security.symantec.com/nbrt/npe.asp?lcid=1033&origin=default

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions –http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

Support Tool with Power Eraser Tool included –

http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US

How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files http://www.symantec.com/business/support/index?page=content&id=TECH141402

If you are unable to remove the threat(s) from your systems, please submit the suspected files to Symantec or ThreatExpert for analysis. New signatures will be created and included in future definition sets for detection.

http://www.symantec.com/business/security_response/submitsamples.jsp

http://www.threatexpert.com/submit.aspx

Brian81:  Good ideas.  I will try disabling ipv6 on my pc and see if that solves the problem.   Out of curiosity's sake and so that I can have a better understanding of the changes I'm making; is there a reason my computer would need ipv6 turned on? why is it trying to use ipv6 currently? and also, why is it blocked by default?   If you cant answer those questions, maybe point me in the right direction ;)

Cycletech:  I dont think its a malware issue. This is a fresh install on a new pc.  I installed Windows 7, and then I installed enpoint.  I then proceeded to install the rest of the software that needed to be installed, none of which is new to me.  I downloaded the utorrent install file directly from the utorrent website, and installed it with endpoint running.  Endpoint hasnt found any issues yet, including the manual scan I ran.  I guess anything is possible, but it seems very very very unlikely that is the underlying problem.

Thank you both for your time and speedy responses!

IPv6 is on by default in Vista/Win7.

I highly doubt you need IPv6 just yet. You can certainly check with your ISP for verification and to see if they have started moving to IPv6 addressing.

You can also run an ipconfig on your machine. If you see an IP address under IPv4 then you are using IPv4 and can turn IPv6 off.

Since IPv6 is on, it will be checked to see if it can be used and if not, it will just use IPv4.

I don't why the default rule is to block IPv6. Probably, because it is not in widespread use yet and can cause some issues with machines/networks so Symantec took the liberty to block by default.

Hello,

I'm agree with Cycletech. We saw so many attacks nowadays and when i see some attack about svchost.exe i suspected from Downadup.32 worm. 

Please also check IPS logs from SEP Manager for that computer.

Monitor/Network Threat Protection/Attacks

then click advanced to filter that computers ip address. If you see some lines with High or Critical level click on them and then click on details top of the page. You can the reason of attack on top of the page.If you see a line like MS-RPC ....... C:\Windows\System32\svchost.exe than an attack from outside or that computer started.

Regards,

Oykun

Brian81: Thank you so much for your help, your suggestions worked and the problem is solved! 

For anyone else having problems, the steps I followed were:

1. Turn off the iphelper service, set to manual.  This stopped the warning dialog from popping up.  But, I noticed there were still a lot of ipv6 requests being blocked in my logs (roughly half the amount there were before stopping iphelper service)

2. Open your network and sharing center, click "change adapter settings", select the adapter you are using (for me it was my wireless adapter), right-click and hit properties. Untick the box next to Internet Protocol Version 6 (TCP/IPv6). 

3. Restart machine.

This process worked perfectly for me, and my logs are now clean and I get no annoying popups.  Best of all, I can turn sounds back on with notification so I can actually be alerted if a real problem happens.

Don't forget to mark whatever post helped you as solved so others can benefit as well

I had the same issue.  New PC with a clean install of Windows 7 Home Premium 64.  I installed SEP 11 RU6 64 bit and then every four minutes I would get a pop-up from Symantec saying "Traffic has been blocked from this application: svchost.exe", "Application blocked"  I could turn the pop-up notification off but not the "bling" noise every four minutes. It was driving me nuts.  I found several other forums with poeple asking about this issue but no one with a corrrect answer...until now. It is NOT a virus.

Follow Soederftw's instruction for disabling IPV6.

Thanks.