Endpoint Protection

There is very little information on this issue, but since yesterday's update we've seen a lot of alerts regarding this from one location.  Nothing else seems out of the ordinary on the PC's we've taken a peek at.  Just wondering if anyone else has seen this, or knows a bit more detail about the underlying issue.  Symantec's article on this is very thin.  

 Since Vista does not properly pass the application name for ntoskrnl.exe to the NTP firewall, the firewall may not correctly be detecting it.  The same may also be true for XP SP3.

To fix this you may follow the below steps

Thanks for the information.  We only have a couple of Vista clients, but we do have a fair number (probably 40% or more) that are XP SP3.  I've just changed this policy in our test group, and will roll it out to the rest if it pans out.

We have seen one Vista computer have hundreds of false-positive this morning associated with this update from yesterday.  The specific event description is:

    [SID: 20628] MSRPC Mutiple Headers detected. Traffic has been allowed from this application: C:\WINDOWS\system32\ntoskrnl.exe

The remote host is Windows Server 2003 R2 x64, which is printer server for us.  Our other Vista (~10) computers don't have this problem and neither does our Windows XP SP3 (~300) computers.  I would rather not create a firewall exception for MSRPC Multiple Headers threat (http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=20628), which would leave our clients valuable to this type of attack.  I would like to see Symantec fix the problem with their recent update.

 This is a known IPS false positive..
 Follow the above workaround this will fix later on.

I have a workstation with XP Sp2 that is getting this error. I also get the error above on multiple workstations, but sometimes it says svchost.exe instead of ntoskrnl.exe

[SID: 20628] MSRPC Mutiple Headers detected. Traffic has been allowed from this application: C:\WINDOWS\system32\svchost.exe

I agree with Scott.  Is allowing this a good idea? I know you say "Follow the above workaround this will fix later on", but when? If you are going to fix it soon, I would rather live with the alert than be more vulnerable. As Scott pointed out, Symantecs info on this IPS event looks pretty serious (my favorite is the last line, but I will give Symantec a break since it seemed to just come out):

MSRPC Mutiple Headers

You can contact Symantec Tech support. So that they can collect the needed data & resolve this issue as soon as possible. 

I don't think this should be credited as a solution just yet. Maybe a workaround, but no solution was given.

The problem lies with IPS definitions dated 2009-10-20 rev.001.  My simple workaround was to rollback to pervious IPS definitions by following the instructions I found at http://service1.symantec.com/support/ent-security.nsf/docid/2007111515160948 (note: these instructions don’t match MR5 SEPM interface, but were close enough for me to follow).  I also needed to manually run LiveUpdate on SEPM for the clients to get the rolled backed IPS definitions.

I agree with Senrats that the firewall exception suggestion by Happytohelp is only a temporary workaround and not a solution.  Also I don’t have the time to help Symantec troubleshoot their own faultily definitions and they should do better testing before releasing definitions.

>[SID: 20628] MSRPC Mutiple Headers detected. Traffic...


"Mutiple" ???  where is gone the "L" :)))   Maybe will come as well in next IPS release?

I didn't even catch that! 

I am still seeing this problem with some of my clients. Has the FIXED IPS DEFINITIONS been released or not? Any clarity on this.

@Amrut: 

Yes, should be solved now with:

Security Update 221 - for Symantec Client Security
Security Update 121 - for Symantec Endpoint Security

See: http://www.symantec.com/business/security_response/securityupdates/list.jsp?fid=sep

for updates.

--cheers

Luca

The IPS definitions dated 2009-10-26 rev.018 resolves the false-positive for [SID: 20628] MSRPC Mutiple Headers detected, but now has false-positives for [SID: 21960] MSRPC Spooler GetPrinterData DoS detected. Now it appears to affect client Windows computers that aren't joined to our domain when connecting to our Windows Server 2003 R2 x64 printer server. When will Symantec get this correct?