• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

ARP Cache Poison?

Hello,

I just checked my Logs today and I see

Event Type - ARP Cache Poison

Result -15.99.2.33.67

Details - incoming

I whoised the IP and it belongs to  "Hewlett-packard"

Should I be worried?

Replies

Kudos0

Re: ARP Cache Poison?

hi Hingli!

I wouldn't be too worried. We have noticed that some networks have this happen a lot--like, over and over again--are you seein a lot of these pings?  Even if you do get these once in awhile, at least you are getting them blocked, right?

I will ping Ryan; he knows more about the specifics of ARP Cache Poison than I do--but do know, that despite the word "poison" in the title, it's not that hectic.  Terrible sounding, though, isn't it?

thanks for posting,

mike

Kudos0

Re: ARP Cache Poison?

I just discovered that the ARP cache poison in the vulnerability protection for Norton AV v11.x, that I just installed, prevents my Checkpoint VPN client from completing IKE negotiation with my Checkpoint firewall.  Not sure why.  When I uncheck that one item in the vulnerability list, the VPN client works fine.  If I re-check it, I authenticate but IKE negotiation fails.

Kudos0

Re: ARP Cache Poison?

Hi,

Not sure what's going on here, because Symantec itself uses a Csico VPN with IKE/IPSec. First, try turning off the Vulnerability Protection feature using the Norton QuickMenu. If that fixes the problem, then one of the signatures for Vulnerability Protection is the cause.

If that doesn't fix the problem, I am going to say that Norton AV is not the problem, since Vulnerability Protection is the only component in the product that works at the network layer.

Go ahead and give that a shot, and let me know if it works. Sorry for the problems.

Ryan McGann Technical Director Norton Business Unit, Symantec
Kudos0

Re: ARP Cache Poison?

I did just that.  I turned the ARP Cache Poison vulnerability protection item off and my Checkpoint VPN client works just fine.  If I turn that vulnerability protection item back on, my Checkpoint VPN stops working again.  It is consistent and repeatable.
Kudos0

Re: ARP Cache Poison?

Hi,

Thanks for the information. We use the same Vulnerability Protection engine as our Windows Norton Internet Security, so I will check with them and see if they know of any problems. We don't have a Checkpoint VPN to test with right now, but I will look into this and get back to you. Thanks for the update and sorry for the problems.

Ryan 

Ryan McGann Technical Director Norton Business Unit, Symantec
Kudos0

Re: ARP Cache Poison?

This is more a comment on the Symantec.com search than on these forums - but I went to www.symantec.com with that ARP Cache Poison phrase and did a search and came up with nothing. It's pretty disturbing to me that my NAV can give an erro "vulnerability found" and provide zero information about it in NAV and then have nothing on it on the website (at least on the main search).

I looked around for 5 minutes or so before I stumbled on this forum post. 

I get that ARP Cache Poison notice nearly every day. And it bothers me that there seems to be no information beyond a strange IP(?) address (usually 0.e0.91.7b.52.65) and now this statement in the forums that "It caught it so you shouldn't be worried". Honestly, no where in NAV does it say that it was blocked or stopped or quarantined or anything. Just:

7/13/09 3:45PM  ARP Cache Poison  0.e0.91.7b.52.65  Incoming

At least my NAV for Mac virus defs were updated at 10:48AM today (the other event for today). 

P.S. LAME - My post was challenged because of invalid HTML - only I didn't post any HTML, I just used the stupid WYSIWYG editor. LAME. I guess the indenting isn't allowed, even though it's in the menu.

Kudos1 Stats

Re: ARP Cache Poison?

It is unclear I agree. Explaining ARP Cache Poison Detection is pretty complicated, especially in the limited space we have for More Info, so we basically choose to not go into great detail. That's the same position taken on many of the virus detail pages on securityresponse.symantec.com because by and large it's just not possible to give all the information to every kind of customer (from novice to very tech savvy). I'll be happy to answer any questions here.

What you are seeing is not an IP address, it's a MAC address (Ethernet address). This event is generated whenever your computer receives an answer over the network to a question that it didn't ask. Norton AntiVirus/Norton Internet Security's Vulnerability Protection feature generates this alert on some networks frequently because some routers (including Apple's) have buggy/incorrect implementations of the ARP protocol that cause it to generate erroneous messages. Since these messages CAN be (but are not necessarily) malicious in nature, we block them. We disabled reporting for ARP Cache Poison detection by default because we found too several popular routers that generate the alert.

Ryan 

Ryan McGann Technical Director Norton Business Unit, Symantec

This thread is closed from further comment. Please visit the forum to start a new thread.