Endpoint Protection

 View Only
Expand all | Collapse all

Traffic has been blocked from SVCHOST.exe

  • 1.  Traffic has been blocked from SVCHOST.exe

    Posted Mar 20, 2013 11:52 AM

    As with so many others that I find on the Symantec Forums site, I am getting the pop up error every few minutes "Traffic has been blocked from this application: SVCHost.exe". I am running Windows Server 2008 R2. I have read through many other posts regarding this message. I have disabled IPV6 on the network adapter, I have disabled the notifications for the group the My Company group, at the top of the tree in SEPM. I have stopped blocking UPnP traffic in the shared Firewall Policy. I am still getting the error message every few minutes.

    This is a brand new installation of both Windows Server 2008 R2 and Symantec Enpoint Protection 12.1.2015.2015. What can be done to stop this message. I do not want to implement SEP any further until this can be resolved. Its annoying that the message continues to pop up.

    Please help!



  • 2.  RE: Traffic has been blocked from SVCHOST.exe

    Posted Mar 20, 2013 11:57 AM

    Post the traffic log here with that traffic in it so it can be reviewed if you want to see if a rule should be created to allow it.

    Otherwise you can just turn off the alert by following this KB article

    How to Disable Client Intrusion Prevention Notifications in Symantec Endpoint Protection Manager (SEPM)

    Article:TECH105013  |  Created: 2008-01-28  |  Updated: 2010-01-11  |  Article URL http://www.symantec.com/docs/TECH105013

     



  • 3.  RE: Traffic has been blocked from SVCHOST.exe

    Posted Mar 20, 2013 01:45 PM
    As noted in the initial post, I did disable the alert. I'm attaching an doc showing a screen shot where it is disabled. I'm also attaching a txt file showing some of the traffic so you can see what comes up in the logs. Still the notification pops up very frequently.

    Attachment(s)

    doc
    SEPM_2.doc   166 KB 1 version
    txt
    traffic.txt   216 KB 1 version


  • 4.  RE: Traffic has been blocked from SVCHOST.exe

    Posted Mar 20, 2013 01:50 PM

    disable the iphelper service. Edit: Saw the screen shot now..

    1. Turn off the iphelper service, set to manual.  This stops the warning dialog from popping up.  

    2. Open the Network and Sharing Center, click "Change adapter settings", select the adapter being used, right-click and select "Properties".
    Uncheck the box next to "Internet Protocol Version 6 (TCP/IPv6)". 
    IPv6 is on by default in Vista/Win7.

    3. Restart machine.



  • 5.  RE: Traffic has been blocked from SVCHOST.exe

    Trusted Advisor
    Posted Mar 20, 2013 03:33 PM

    Hello,

    Check this Article:

    Traffic has been blocked for the application host process for Windows Services Svchost.exe

    http://www.symantec.com/docs/TECH165942

    and this Thread:

    https://www-secure.symantec.com/connect/forums/constant-notification-traffic-has-been-blocked-application-svchostexe

    Hope that helps!!



  • 6.  RE: Traffic has been blocked from SVCHOST.exe

    Posted Mar 20, 2013 03:42 PM

    I have disabled the IPHelper service, disabled IPv6 on the active interface, and rebooted. I am still getting the message. What else can I try to get rid of this constant pop up?



  • 7.  RE: Traffic has been blocked from SVCHOST.exe

    Posted Mar 20, 2013 04:25 PM

    Have been through all those steps, Still receiving the message every few minutes.



  • 8.  RE: Traffic has been blocked from SVCHOST.exe

    Posted Mar 20, 2013 11:14 PM

    post the screen shot of the pop up please..



  • 9.  RE: Traffic has been blocked from SVCHOST.exe

    Posted Mar 21, 2013 11:51 AM
      |   view attached

    Here is a Doc file with a screen shot showing the popup and a screen shot showing the Log right after... 

    Attachment(s)

    doc
    ScreenShot_0.doc   37 KB 1 version


  • 10.  RE: Traffic has been blocked from SVCHOST.exe

    Posted Mar 21, 2013 03:50 PM

    Have you investigated this futher? You have remote machine trying to contact your machine. I would make sure this isn't some sort of attack attempt on your machine.



  • 11.  RE: Traffic has been blocked from SVCHOST.exe

    Posted Mar 21, 2013 04:07 PM

    I am accessing the server remotely, always from the same IP address. Is it the remote access into the server that is generating the error message? The server is in the other room, it has no monitor, keyboard, nor mouse connected to it. I'm always looking at it through Remote Desktop.



  • 12.  RE: Traffic has been blocked from SVCHOST.exe

    Posted Mar 21, 2013 04:12 PM

    it is using the UDP protocol so I'm not sure that it is RDP. RDP uses TCP 135.