Endpoint Protection

 View Only

  • 1.  Virus attack message Pop Up

    Posted Oct 13, 2009 03:09 PM
    Some of our Endpoint Clients keeps getting attacked from an outside source and the computer keeps displaying the warning message.  The attack is being blocked by endpoint which is good, but is there a way that I can disable the message from showing up in the bottom right hand corner for that one particular attack?

    I do not need the users seeing this because they start to go crazy thinking everything is compromised but it isn't.

    Here is the log message
    [SID: 23179] MSRPC Server Service BO detected.
    Traffic has been blocked from this application: C:\WINDOWS\system32\ntoskrnl.exe


  • 2.  RE: Virus attack message Pop Up

    Posted Oct 13, 2009 03:24 PM
    Can you put a screen shot of that POP Up

    I have seen this kind of the pop up in two situation one it was because of the old version.. 2nd there was a machine infected with w32 dawnadup that was attacking other computer..

    Please also tell the version of  SEP.


  • 3.  RE: Virus attack message Pop Up

    Posted Oct 13, 2009 03:25 PM
    You may uncheck the "Display notification on the Computer" box in your firewall rules.

    popups.JPG


  • 4.  RE: Virus attack message Pop Up

    Posted Oct 13, 2009 03:30 PM
     You may also try the below mention steps..

    1}
    - From the main menu along the left side in the SEPM, choose Policies.
    - Under View Policies, click on Firewall. 
    - Double click on the policy you wish to edit.  A new window will open.
    - On the left side, click on Rules.
    - At the bottom, click on Add Blank Rule.
    - Name the rule Allow SMB Network Browsing.
    -Under Application, right-click on Any, then choose Edit....
    - Next to file name, manually type in C:\Windows\System32\ntoskrnl.exe (or browse to it using the Browse button).
    - Ensure Action is set to Allow.
    - Use the Move Up or Move Down button to place the rule above any other that would otherwise block this application.  It is recommended to place  this rule in the Administrative area, above the blue line

    2}

    1.Login into your Symantec Endpoint Protection Manager.
    2.Click on Policies - Intrusion Prevention - edit your Intrusion Prevention policy
    3.Click on Settings
    4.Tick the "Enable excluded hosts" option and click on the Excluded Hosts button to add your ip address (or a range of ip address, alternatively you could also use the subnet option).
     



  • 5.  RE: Virus attack message Pop Up
    Best Answer

    Posted Oct 13, 2009 03:40 PM
    @ Cycletech - the one you are showing is for firewall but this notification is for IPS
     As this Notification is a Intrution pevention notification of SID : 23179
    So you cannot disable notification for just this attack.if you turn off notification it will be turned off for all.however you as a admin can see it from SEPM

    this is how to do it.
    you will have to do it for all the groups one by one ( or the groups you want to )
     under client-policy-Location specific settings




  • 6.  RE: Virus attack message Pop Up

    Posted Oct 13, 2009 06:00 PM
    My mistake. Thanks for the clarification.

    Cheers,
    Thomas


  • 7.  RE: Virus attack message Pop Up

    Posted Oct 14, 2009 12:04 PM
    Perfect Thanks!!!