Endpoint Protection

Hi I've just recently started having the problem of notifications coming up around every 10 minutes that says: Traffic has been blocked from this application: Device Association Framework Provider Host (dashost.exe).

A while back i had the same issue with svchost.exe and found a fix from a forum page which told me to change one of the settings in the firewall settings (I think it was unchecking "Enable network application monitoring" not sure exactly because it was a while ago but i'm pretty sure it was this).

Anyway now I'm having the same message for the dashost.exe and couldn't find any fixes for it. I've checked in taskmanager and the dashost.exe is running from C:/Windows/System32 and a full scan shows no threats so i don't think it is anything to do with a virus.

Traffic has been blocked from this application: Device Association Framework Provider Host (dashost.exe)

What does your firewall Traffic log show?

How do you check that?

Open the GUI:

View Logs >> Network and Host Exploit Mitigation >> View Logs >> Traffic Log.

1 6/18/2018 9:04:44 PM Allowed 3 Incoming UDP 192.168.1.1 C0-3F-0E-4E-A5-9E 2049 239.255.255.250 01-00-5E-7F-FF-FA 1900  DP DPS-ACER-PREDAT Default 1 6/18/2018 9:03:43 PM 6/18/2018 9:03:43 PM Allow UPnP Discovery from private IP addresses 

2 6/18/2018 9:08:22 PM Allowed 3 Incoming UDP 192.168.1.6 8C-DC-D4-31-49-99 53700 239.255.255.250 01-00-5E-7F-FF-FA 3702 C:\Windows\System32\dasHost.exe LOCAL SERVICE NT AUTHORITY Default 2 6/18/2018 9:08:09 PM 6/18/2018 9:08:09 PM Allow Web Services Discovery from private IP addresses 

3 6/18/2018 9:08:22 PM Blocked 3 Incoming UDP FE80:0:0:0:DCAA:9FF:400E:B2B6 8C-DC-D4-31-49-99 53701 FF02:0:0:0:0:0:0:C 33-33-00-00-00-0C 3702 C:\Windows\System32\dasHost.exe LOCAL SERVICE NT AUTHORITY Default 4 6/18/2018 9:08:09 PM 6/18/2018 9:08:10 PM Block Web Services Discovery 

If the traffic is coming from your own network you can exclude your local hosts here

policies\intrusion prevention\intrusion prevention\ enable excluded hosts

for some reason this started popping ipv6 traffic after the 14.2 update

FWIW UPnP and SSDP is off all over this network?

I dont see an option for enable excluded hosts. Also I dont know what that last part means.

Same problem. Getting lots of these notifications for various executables. What are the exact steps to fix this?

Same problem. Just started happening. What are the exact steps to fix this?

Has anyone opened a case with Support?  If not, please do so and provide your case numbers.

Thanks,

John Owens

My case number is 15189410. I just created it.

Hi All,

Has there been an update on this post/case? 

We have just updated to SEPM 4.2 and when testing a Mac client 4.2 update it lost internet access on that Mac. I then disabled the firewall on that Mac and access returned. 

Then I updated a firewall setting adding the ip and port for our proxy server and once I applied the setting we started getting errors pertaning dashost.exe in the logs of both the Macs and now Windows workstations. 

Unlike the Mac's the Windows 10 workstation did not lose internet connectivitiy but are constantly getting dashost.exe and svchost.exe occuring right around the time that I saved the firewall policy update.

Additionally, the firewall policy had been enabled sinc SEP version Ver 14 MP1 and has been updated all 5 versions since to 14.2.

Please post if there have been any updates.  I will be logging a call with Symantec shortly as well.

Thanks in advance for any help.

Hi All,

One of the items that SEP 14.2 has implemented is IPv6.  I noticed in the logs that all of the originating IP addresses are in IPv6.

As some of the internal host addresses in the new Mac firewall settings now list the internal IPv6 addresses. I copied them down and entered them into the intrusion protection and the alerts stopped. 

IPv6 Addresses:

From: FC00::0

To: FDFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

and

From: FE80::0

To: FEBF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

Can someone please tell me if is not in best practices and if there is a better place or way to include these in a whitelist whether in Intrusion Protection or the Firewal Policy?

Thanks....

If someone finds a good solution for this please let us all know

As for now we had to disable the 3 block ipv6 rules and the block web service requests from external computers

Even if we excluded our local ipv6 scheme 2001:db8:3c4d:1::/64 we still recieved messages about NTOSKRNL

Super annoying, once people get used to the popups they will ignore a real threat

thank you

Ron

hi guys any update in this problem?  TIA

I'm also experiencing this notification. dashost.exe appears to be a safe service running in WIndows 10.

i resolve the issue, i deleted the IPV6 in firewall policy and the notification stop.