Is there a way to set Intrusion Prevention on a "permanent" mode against received attacks?
I found that the max is 48 hrs but after reviewing the history archive I noticed that some of IP addresses recognized as "attackers" keep showing up day, after day...forever!
Before installing NIS2010 I had no idea that there were so many people out there intent on harming your PC.
I'm glad that NIS2010 is 'standing guard'.
Is Norton/Symantec contemplating upgrading this feature to incorporate a 'Permanent' to Intrusion Prevention?
If I knew how I would like to forward my current history of attempts, I'm sure I'm not alone in this dept. an a 'Permanent" injunction against these obnoxious citizens of the 'net' will be a very welcomed solution.
Thanks,
oldbear wrote:
Is Norton/Symantec contemplating upgrading this feature to incorporate a 'Permanent' to Intrusion Prevention?
If I knew how I would like to forward my current history of attempts, I'm sure I'm not alone in this dept. an a 'Permanent" injunction against these obnoxious citizens of the 'net' will be a very welcomed solution.
Thanks,
Hi oldbear
The best way to do that would be to configure your firewall (hardware or software) to block particular IP addresses.
Permanent block is not done because the Internet is so dynamic that a particular IP may not attack you anymore . If something tries direct attack or sneak , Norton IPS/firewall will again block it , don't worry.
You can use the firewall to create a rule to completely block all the traffic from specific IPs if you want to , or a particular traffic.
Hello oldbear
Is there a way to set Intrusion Prevention on a "permanent" mode against received attacks?
I found that the max is 48 hrs but after reviewing the history archive I noticed that some of IP addresses recognized as "attackers" keep showing up day, after day...forever!
If Intrusion Prevention keeps showing bad ip addresses being blocked, it's very possible that you have malware or possibly even a rootkit in your computer. These bad ip's may be trying to communicate with something that is already inside your computer.
Can you please post a screen shot showing what Intrusion Prevention is blocking and also showing the more details part.? Here is how you can post a screen shot.
Please come back and show us the screen shots. Thanks.
When you open the Intrusion AutoBlock settings screen you see which computers are currently blocked. You can then unblock them or block them permanently. You can also configure the firewall to block all connections from this computer(s). I've seen MS RPCSS Attack coming from PC-s infected with variants of Sality, which is extremely hard to disinfect since sometimes it doesn't let you install antivirus products or access their websites.
Hi,
Please make sure you have all of Windows' Updates installed on your computer; if you use X.P., then please visit the Microsoft Web Site > WIndows Update, and if you use Vista or 7, there is an in-built Microsoft Updatein the Operating System.
Here is more information on the Attack you are seeing:
There are numerous vulnerabilities associated with Microsoft's RPC DCOM service. This signature represents patterns associated with various publicly available RPC DCOM attacks. Events associated with this attack warrant immediate attention, and users are encouraged to audit the status of all machines with the RPC service enabled.
Microsoft Windows supports a Remote Procedure Call (RPC) application programmer's interface (API) that allows applications to share publicly available objects in a distributed computing environment (DCE). RPCSS is the service that carries out the communication that takes place through the specified API.
One of the more notable vulnerabilities associated with this service is a denial-of-service condition that exists in the RPCSS service. This issue is due to a failure of the application to properly handle malformed network messages.
The problem presents itself when the malformed messages are handled by the affected service. Exceptional conditions triggered by the malformed messages cause a failure of the application to free previously acquired heap memory. After processing a number of offending messages, the process will be unable to allocate more memory for incoming network data and a denial-of-service condition will be triggered.
The issue specifically deals with the processing of packets reporting extremely large length. After DCOM processes the request, it is passed to the Activation class of functions residing in 'rpcss.dll'. Here memory is allocated to store the information; the size of memory allocated is derived from the 'length' field of the message. If the specified length is larger than the memory pool of the source buffer, an exception will be triggered. In this case the memory that was allocated will not be freed, causing a memory leak that will trigger a denial-of-service condition.
Successful exploitation of this issue may allow a remote attacker to cause the affected server to crash or stop responding. On Microsoft Windows 2000, XP, and Server 2003 this will cause the affected system to reboot; on all other Windows platforms the system will have to be manually rebooted. It is currently not known whether this issue could be leveraged to execute arbitrary code on the affected system.
It has been observed that W32.Gaobot and W32.RXBot [W32.Spybot.Worm] worms exploit this issue to propagate.
- HTTP I.I.S. Welchia WebD.V.A. SEARCH B.O. (1)
Thank you everyone for your input. Rest assured that I follow a weekly routine to staying up-to-date with Win XP updates, I'm a former manager of IT and do what I used to preach; ignore Microsoft's updates at your own risk.
I admit that I'm not 100% on top of 'Auto Block', I cannot find any of these intruders listed anywhere, maybe I'm missing something but I don't know what that is, ideas?
Thanks once again for all the help,
Is there a way to set Intrusion Prevention on a "permanent" mode against received attacks?
I found that the max is 48 hrs but after reviewing the history archive I noticed that some of IP addresses recognized as "attackers" keep showing up day, after day...forever!
Before installing NIS2010 I had no idea that there were so many people out there intent on harming your PC.
I'm glad that NIS2010 is 'standing guard'.
