I have a user that gets blocked from the internet periodically due to a setting within Symantec Endpoint Protection . The warning he gets is similar to:
Traffic from IP address 192.168.1.1 is blocked from 11:53pm to 12.03am.
Denial of Service is logged.
Has anyone heard of this before, or have any insite as the where the problem may lie? I checked the Symantec Endpoint Protection logs, but I was unable to find any blatant issues. The user states that it generally happens with malformed URL's, but I am unable to reproduce it at our help-desk.
Best Answer
Assuming you meant SEP rather than Backup Exec.
This indicates that there is inbound traffic form the IP mentioned in the alert. As the user mentions, this is usually a malformed address or it is some sort of malware creating traffic.
There are some versions of SEP that see DNS traffic from the router as a DoS. This is typically found on a router that is doing DNS forwarding from an ISP. Common on home and small business devices.
Symantec Support has info on this and it is supposed to be addresed in a release RU6 MP1. Check your version to see if it is current.
You can create an exception but you would want to be sure the traffic is legitimate. This assumes a managed client.
To create an exception for Intrusion Prevention Policy to allow a specific ID: