Endpoint Protection

Solution to repeat "Traffic has been blocked from this application: Host process for Windows Services (svchost.exe)"

  • 1.  Solution to repeat "Traffic has been blocked from this application: Host process for Windows Services (svchost.exe)"

    Posted 12-02-2019 05:52 AM

    I surfferd this issue (or inconvenience) for a while.

    Sometime, the Symantec Endpoint Protection client (14.0.RU1.MP2)  installed on my computer poped up a warning message "Traffic has been blocked from this application: Host process for Windows Services (svchost.exe)" repeatly. After seveeal days, it disappeared. Suddenly it appeared again in some day.

    My computer was in private network (172.21.0.0) and SEP client was managed by a centralized SEPM server.  Everytime I checked the SEP traffic log in my computer and found,  it usually pointed these alerts came from the SEPM firewall rule "Block uPnP Discovery" to block outgoing UDP traffice from my computer to remote UDP port 19000, after several successful "Allow UPnP Discovery from private IP addresses" records . I didn't understand why I enable "Allow UPnP Discovery from private IP addresses" but it didn't work well.  didn't want to disable "Block uPnP Discovery" rule in risk and it didn't cause big problem, so I usually tolerated little inconvenices caused.

    Ten days ago, I got news that SEP 15 was released. So I checked what's new is SEP15 and known issues are fixed here. https://support.symantec.com/us/en/article.howto127934.html .  I noticed the issue# SEP-50901 on the page, it states " The default rule Allow UPnP Discovery from private IP addresses caused too many blocked events. ....".

    An idean hit me that my issue might be same or similiar to issue# SEP-50901, so I took manual modification based on its instruction. After my Firewall policy modification and SEP client received the updated policy, the annoying messages didn't bother me anymore. YES, this solution not only applies to SEPv15 but also SEPv14

    Instead of modifying "Allow UPnP Discovery from private IP addresses rule" directly, I copied and pasted it as duplicated policy. I renamed the duplicated policy and revised it, then make it active.

     

    Below are actions you could take to to modify the Allow UPnP Discovery from private IP addresses rule:

    1. Go to the Firewall policy, and under the Firewall Rules list, select the Allow UPnP Discovery from private IP addresses rule.

    2. In the Edit Firewall Rule dialog box, select Hosts.

    3. Edit each host entry so that the host type is Source.

    4. Go to the Services page and change the existing default entry from Local/Remote to Source/Destination.

    5. Remove 1900 from Source Port field and add 1900 to the Destination Port field.

    6. Select Save > Submit.

    7. Save the policy.