Jump to content
mattlucasv

Network Attack Blocker issues

Recommended Posts

Hi All

 

Earlier today the Network Attack blocker started to block RDP session on port 3389 on a number of our terminal servers. After investigating the issue we sure we don't have any virus/Trojan on the network but we also can't find any real information in the security center as to why it's blocking the RDP requests. The user doesn't even get to the window logon screen!

 

The only information we have is below. Has anyone else had this issues? How can we find out why all of a sudden it decided to block these sessions?

 

Thanks for any help!!!

 

 

Event name Network attack detected

Severity: Critical event

Application: Kaspersky Endpoint Security 8 for Windows

Version number: 8.1.0.646

Task name: Network Attack Blocker

Computer: #######

Group: Windows Servers

Time: Saturday, 17 March 2012 3:03:53 PM

Name of virtual Server:

Description: Event type: Network attack detected

Application\Name: Unknown application

Component: Network Attack Blocker

Result\Description: Allowed

Result\Name: Intrusion.Win.V1202.attack.silent

Object: TCP from to local port 3389

Object\Type: Network packet

Object\Name: TCP from to local port 3389

Edited by mattlucasv

Share this post


Link to post

hi, i have the same issue on windows 2003 r2 enterprice x64.

 

KES 8 Russian

 

Название события Обнаружена сетевая атака

Уровень важности: Критическое событие

Программа: Kaspersky Endpoint Security 8 для Windows

Номер версии: 8.1.0.646

Имя задачи: Защита от сетевых атак

Компьютер: ***

Группа: ***

Время: 17 марта 2012 г. 10:31:20

Имя виртуального Cервера:

Описание: Тип события: Обнаружена сетевая атака

Программа\Название: Неизвестная программа

Компонент: Защита от сетевых атак

Результат\Описание: Разрешено

Результат\Название: Intrusion.Win.V1202.attack.silent

Объект: TCP от на локальный порт 3389

Объект\Тип: Сетевой пакет

Объект\Название: TCP от на локальный порт 3389

 

sorry for post in english section :)

Edited by fynt

Share this post


Link to post

Same at 3 customers.

In "firewall-rules / rules for network-packets / Remotedesktop" was changed from allow to block!!!

After modify rule back to allow still no success.

Only after turning-off "Network Attack Protection" i was able to RDP again.

 

Any suggestions?

 

Share this post


Link to post

We are also experiencing this. I already had the firewall / network packet rule set to allowed for RDP. I'll have to try disabling Network Attack Protection until this is resolved.

Share this post


Link to post

Well if you whole subnet is excluded it won't be different from disabling network Attack Protection...

 

Anyway there was a critical MS Security Bulletin this month, concerning a significant issue with Remote Desktop Protocol, with very high possibility of it being exploited.

 

I suggest you make sure all of your servers are up-to-date before disabling Network Attack Blocker, as this may be one of the first worm exploiting this.

Share this post


Link to post
Hi All

 

Earlier today the Network Attack blocker started to block RDP session on port 3389 on a number of our terminal servers. After investigating the issue we sure we don't have any virus/Trojan on the network but we also can't find any real information in the security center as to why it's blocking the RDP requests. The user doesn't even get to the window logon screen!

I have the same issue. I think it started about the same time. It's kind of difficult to debug when you can't access the remote computer. :(

 

I'm replying to your post just to let you know you are not alone. I was able to circumvent the issue by disabling the Network Attack Blocker.

 

New RDP vulnerabilities have recently been discovered that allow an attacker to potentially gain control of a system. Perhaps this issue surfaced as a result of a Microsoft or Kaspersky update - just speculation, of course.

Share this post


Link to post

Still now response from Kaspersky! Going to try and call them again and see if I can get through this time!

Share this post


Link to post
Still now response from Kaspersky! Going to try and call them again and see if I can get through this time!

 

Hi,

Kindly check it

Open Firewall Setting and go to Network Packet Rules, there you allow "TCP connection through Local Ports" and UDP connection through Local Ports". and check the result.

Share this post


Link to post

hi

after weeks of running kes on my servers with no problems

i came in this morning and i have exactly the same issue as is mentioned here

it was working friday before i left work

so a kes update has happened over the weekend to cause this i believe

 

my servers have had no microsoft updates done for a while now

 

 

Share this post


Link to post

Dear All,

 

Having the same issue here. when we RDP to a PC which is protected by Kaspersky connection is getting refuse. After disable the network attack blocker problem is stopping. is this false positive?

post-59117-1332158030_thumb.jpg

Share this post


Link to post

I get the information that the problem should be solved.

 

Please run an update.

 

The reason for this problem should be an update from MS.

Share this post


Link to post

If still block the RDP connection after install KAV update and install windows update, how to fix? :mellow:

Share this post


Link to post

are you getting the email about the network attack as this is what the update from kaspersky cured

or is it just not accessable through rdp

in which case then check your firewall settings

 

Share this post


Link to post

Please disable network attack and enable again.

 

This clears the cache.

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.