Endpoint Protection

Hi,

I am getting this alert since the new release of the Symantec IPS definition dated 2009-10-20 rev.001.

I have attached the printscreen for reference. Can anyone help?





Thank you,

Ian

Check this... http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=21960 http://www.kb.cert.org/vuls/id/914617 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6296 Update MS patches and do a full scan in safe mode on 192.168.19.203 pc.

This very useful tip shp

We are gettting this now.   The remote host is our w2k3 corporate print server.   Both the computer and server are up2date with latest security patches and endpoint definitions.

Disable the proactive threat protection portion of SEP and restart your print spooler ont he client. Or exclude C:\Windows\system32\ntoskrnl.exe from the scan engine.

I'm getting this same blocking and logging.  It only happens maybe 1 out of 10 times a single user tries to print.  I could be wrong but it only appears to be happening on Windows 7 machines.  I opened a ticket yesterday but the only thing they could suggest was to create an exception for ntoskrnl.exe which I don't want to do.  This was after spending 10 minutes trying to explain what intrusion prevention is and helping them understand that intrusion prevention is soemthing built into SEP 11 and not third party software.  Has anyone else been seeing anything like this?  Thank you.

I have tried to enable the exeption for the ntoskernel.exe to see if that temporarily stops the problem but that definitely isn't a solution for this issue. It is also only on windows 7 machines for our network too.

I'm glad I'm not the only one having this problem.  I'm not really sure what the next step is here.  For whatever reason this most recent call in to Symantec was absolutely useless.  The worst "support" I've ever received.  Maybe because I made the mistake of saying it was low priority?  Any Symantec people know what I need to do to bring this to someones attention.  Maybe it's something specific to our network, but I'm sure others will be seeing it eventually.  Thank you.

I have a user with the same problem.

IBM Laptop
Local Printer - Canon iP4300
Windows 7

I created a special folder for this one user and added an exception to allow/log the "event"

Policies> Intrusion Prevention Policies> Exceptions> Add...

browse to exception ID 21960 (same as in the error).

This is not  a "FIX" but it makes it only allow one exception for one computer. I think this is better than the "Disable the proactive threat protection portion of SEP and restart your print spooler ont he client. Or exclude C:\Windows\system32\ntoskrnl.exe from the scan engine."