11-26-2010 06:21 PM
This evening I had continuous attacks reported by Norton as: rule default block EPMAP blocked 10.0.0.4 port dcom 135 inbound TCP connection.
1.) Could someone please explain the nature of this type of attack or point me to online link for more details
2.) The attacks took began at 6:pmET until the present which is 9:15pm in case it is of importance to those who track or anyone who had similar experience
3.) Years ago, Norton provided a map that showed visually where attacks originated. (I've had Norton for over a decade.) Can I do the same thing now through NOrton or some other tool?
4.) Is there anything I can do to discourage the continuation of these attacks or is it simply my role to endure them until the attack is through with their wargames?????
Solved! Go to Solution.
11-26-2010 06:43 PM - edited 11-26-2010 06:49 PM
Are you on a local network? By default Norton blocks EPMAP and port 135. Your IP address, 10.0.0.4, is a private IP address that corresponds to something on your local network, and cannot be routed over the internet. So you were not under attack, but something on your own network tried to communicate with your PC and was prevented from doing so by this Norton default rule. Nothing to worry about (even if it had come from the internet, Norton will always block it, so still nothing to worry about - that's what the rule is there for).
11-26-2010 07:05 PM
Thanks for the info. Is it possible for me to identify the source machine or program that NOrton is reporting as the attacker? What does "inbound TCP connection" mean? Norton identifies it as such. After I post this message I am going to restart computer which has been on for quite a while and see if it ends the loop. Thanks again.
11-26-2010 07:14 PM - edited 11-26-2010 07:16 PM
It is probably your own computer. My Norton History logs are filled with "Default EPMAP blocks" that are nothing more than svchost.exe communicating to "all local network adapters," - just Windows checking on the network. Highlight an entry in your Norton History and click "More Details." Is is just you on a home network behind a router, or are you on a larger corporate network?
11-26-2010 07:32 PM
just me behind a router. I checked the network map that is provided by Norton. Both IP belong to my two computers on the network. It would appear that something on the other computer is trying to access this one. Can someone tell me how to identify what program might be initiating the communication via port 135 using TCP protocals? Thanks for the insight into this problem.
11-26-2010 10:15 PM
You can run TCPview.exe (part of the Sysinternals Suite from Microsoft - available here) on the other machine to view what process is running / using what port, protocol and process ID. Most likely it will be the svchost.exe service of Windows; as SendOfJive pointed out, Windows (as a default) keeps a constant check on the local network using port 135 and DCOM / EPMAP. Most security software blocks this as they handle the network's information in a much more secure manner.
11-27-2010 07:16 PM
Thanks for the quick replies and solutions to my inquiry. Very helpful forum. I will be checking to see if this same "EPMAP blocked at port 135" comes up regularly when more than one puter is logged on the network behind the router. The blocked communication was between my own two computers. Even though I am not a geek, I should have deduced that from the IP addresses given. It raised a flag, but no light went on. Thanks again