02-06-2009 01:23 PM
I just checked my Logs today and I see
Event Type - ARP Cache Poison
Details - incoming
I whoised the IP and it belongs to "Hewlett-packard"
Should I be worried?
02-09-2009 05:11 PM
I wouldn't be too worried. We have noticed that some networks have this happen a lot--like, over and over again--are you seein a lot of these pings? Even if you do get these once in awhile, at least you are getting them blocked, right?
I will ping Ryan; he knows more about the specifics of ARP Cache Poison than I do--but do know, that despite the word "poison" in the title, it's not that hectic. Terrible sounding, though, isn't it?
thanks for posting,
02-26-2009 06:02 PM
I just discovered that the ARP cache poison in the vulnerability protection for Norton AV v11.x, that I just installed, prevents my Checkpoint VPN client from completing IKE negotiation with my Checkpoint firewall. Not sure why. When I uncheck that one item in the vulnerability list, the VPN client works fine. If I re-check it, I authenticate but IKE negotiation fails.
03-05-2009 10:42 AM
Not sure what's going on here, because Symantec itself uses a Csico VPN with IKE/IPSec. First, try turning off the Vulnerability Protection feature using the Norton QuickMenu. If that fixes the problem, then one of the signatures for Vulnerability Protection is the cause.
If that doesn't fix the problem, I am going to say that Norton AV is not the problem, since Vulnerability Protection is the only component in the product that works at the network layer.
Go ahead and give that a shot, and let me know if it works. Sorry for the problems.
03-08-2009 09:37 PM
03-10-2009 08:52 PM
Thanks for the information. We use the same Vulnerability Protection engine as our Windows Norton Internet Security, so I will check with them and see if they know of any problems. We don't have a Checkpoint VPN to test with right now, but I will look into this and get back to you. Thanks for the update and sorry for the problems.
07-13-2009 07:15 PM
This is more a comment on the Symantec.com search than on these forums - but I went to www.symantec.com with that ARP Cache Poison phrase and did a search and came up with nothing. It's pretty disturbing to me that my NAV can give an erro "vulnerability found" and provide zero information about it in NAV and then have nothing on it on the website (at least on the main search).
I looked around for 5 minutes or so before I stumbled on this forum post.
I get that ARP Cache Poison notice nearly every day. And it bothers me that there seems to be no information beyond a strange IP(?) address (usually 0.e0.91.7b.52.65) and now this statement in the forums that "It caught it so you shouldn't be worried". Honestly, no where in NAV does it say that it was blocked or stopped or quarantined or anything. Just:
7/13/09 3:45PM ARP Cache Poison 0.e0.91.7b.52.65 Incoming
At least my NAV for Mac virus defs were updated at 10:48AM today (the other event for today).
P.S. LAME - My post was challenged because of invalid HTML - only I didn't post any HTML, I just used the stupid WYSIWYG editor. LAME. I guess the indenting isn't allowed, even though it's in the menu.
07-14-2009 04:36 PM
It is unclear I agree. Explaining ARP Cache Poison Detection is pretty complicated, especially in the limited space we have for More Info, so we basically choose to not go into great detail. That's the same position taken on many of the virus detail pages on securityresponse.symantec.com because by and large it's just not possible to give all the information to every kind of customer (from novice to very tech savvy). I'll be happy to answer any questions here.
What you are seeing is not an IP address, it's a MAC address (Ethernet address). This event is generated whenever your computer receives an answer over the network to a question that it didn't ask. Norton AntiVirus/Norton Internet Security's Vulnerability Protection feature generates this alert on some networks frequently because some routers (including Apple's) have buggy/incorrect implementations of the ARP protocol that cause it to generate erroneous messages. Since these messages CAN be (but are not necessarily) malicious in nature, we block them. We disabled reporting for ARP Cache Poison detection by default because we found too several popular routers that generate the alert.