Endpoint Protection

  • Private Community
 View Only

  • 1.  VNC being block by SEP IPS

    Posted Jun 27, 2018 10:47 PM

    Anybody facing this? 27-28 June

     

    Is there any new changes on the IPS signature?....seems like the rule inconsistent

     

    The settings is allow and log only, but apparently a lot got blocked..

     

     

    Only after placing under signature execption... vnc ok



  • 2.  RE: VNC being block by SEP IPS

    Trusted Advisor
    Posted Jun 28, 2018 01:06 AM

    Hello, VNC works fine. Not sure if there are any changes in the IPS Signatures.

    As NTP(Firewall) / IPS can be the only reason for VNC/RDP to get blocked. Antivirus will not block RDP connection.

    Creating an IPS Exception is one way. 

    Check this article for another -

    Cannot connect to a computer through RDP, and VNC after the Firewall policy is enabled.

    http://www.symantec.com/docs/TECH96011

    Could you also check if you have a Learned Application Feature turned on the SEPM.

    If yes, try turning it off.

    Hope that helps!!



  • 3.  RE: VNC being block by SEP IPS

    Posted Jun 28, 2018 05:15 AM

    Hi,

    Same problem here, can you please post detail on how to create signature exception?

    Thanks in advance



  • 4.  RE: VNC being block by SEP IPS

    Posted Jun 28, 2018 05:27 AM

    Just follow the guide, refer sample attached

     


     



  • 5.  RE: VNC being block by SEP IPS

    Posted Jun 28, 2018 05:30 AM

    Nope....seems not related

    IPS et all was running without blocking VNC all the while...only starting earlier this morning

     

    I suspect the never version has changes in VNC signature, lets wait if new update tomorrow fix it

    https://www.symantec.com/security_response/definitions/download/detail.jsp?gid=ips14



  • 6.  RE: VNC being block by SEP IPS
    Best Answer

    Posted Jun 28, 2018 05:36 AM

    Hi ins007,

    Updating with the latest IPS signatures should prevent this logging. If not, altering the policy as illustrated should do the trick.

    Creating exceptions for IPS signatures
    https://www.symantec.com/docs/HOWTO80883



  • 7.  RE: VNC being block by SEP IPS

    Posted Jun 28, 2018 07:31 AM

    Yea, we're seeing these as well. Have been for a few days as the same signature you posted above is triggering. Not being blocked though.



  • 8.  RE: VNC being block by SEP IPS

    Posted Jun 28, 2018 11:57 AM

    Just adding a specific IPS definition set: 20180627.061.  That or higher should not log this VNC audit signature by default.



  • 9.  RE: VNC being block by SEP IPS

    Posted Jul 04, 2018 04:53 AM

    Hi ins007,

    Just a ping to see if this is now resolved-? The thread is still marked "needs solution."



  • 10.  RE: VNC being block by SEP IPS

    Posted Jul 06, 2018 11:00 AM

    FYI I also got the same error.  My case number is 15100619.  VNC started being blocked the morning of 6/26.  White listing was the work-around.  I noticed that the default setting for VNC Banner pages was set to allow\do not log.