SEP Client …Block Traffic From IP Address… Event ID 8003, 8009, and 8019 Master Browser

SEP Client may sometimes block traffic from IP Address on the Local Area Network when workstations are part of a Workgroup and not Domain joined due to Master Browser/ Computer Browser service and will generate Event ID 8003, Event ID 8009, and Event ID 8019.


Symantec Endpoint Protection

Port Scan attack is logged

The client will block traffic from IP address for the next xxx seconds (from xx/xx/xxxx to x/xx/xxxx).

Symantec Intrusion Prevention services on a PC has blocked traffic from a workstation on the same LAN.

If the workstations are not domain joined and are part of a Workgroup in the local area network, and are running a SEP client, this may trigger a false positive on one or more workstations.  This is due to the fact that all Windows computers still broadcast traffic to each other because they are all part of a Workgroup on the same LAN.  For a local area network Workgroup, a single workstation is elected (by all other workstations in the LAN) as Master Browser; this happens automatically between Windows machines on the same LAN that are in a Workgroup.  If another PC on the LAN attempts to become Master Browser for the Workgroup, an Event ID 8003 will be logged on the machine that is the current Master Browser.

Log Name:     System
Source:         bowser
Date:          x/x/xxxx
Event ID:      8003
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:     ComputerNameHere
The master browser has received a server announcement from the computer HostNameHere that believes that it is the master browser for the domain on transport NetBT_Tcpip_{xxxxx}. The master browser is stopping or an election is being forced.

On the computer attempting to become the Master Browser, you will find Event ID 8009 and Event ID 8019 that will have been logged at around the time of the incident.  It is a false positive caused by background network traffic between both computers competing for the Master Browser role on the LAN.

Future Symantec Endpoint Protection client IPS …block traffic from IP address… notifications caused by the Master Browser/ Computer Browser service related to Event ID 8003, Event ID 8009 and Event ID 8019 can be prevented by going to Control Panel > Administrative Tools > Services and locating “Computer Browser”.  If the service is “Started”, double-click it and set to “Disable”.  This will prevent this type of background communication from taking place between both workstations.

#computer-browser, #event-id-8003, #event-id-8009, #event-id-8019, #lan, #master-browser, #port-scan-attack-is-logged, #symantec-block-traffic-from-ip-address, #symantec-endpoint-protection, #symantec-intrusion-prevention, #the-client-will-block-traffic-from-ip-address, #the-master-browser-has-received-a-server-announcement-from-the-computer, #workgroup

Fix Memory Usage by File Based Write Filter Reached a Critical Warning Level

Memory Usage by File Based Write Filter Reached a Critical Warning Level notification followed by automatic reboot is due to the Cache Threshold Size having been reached.  RAM for FBWF Cache Usage is set to 128 MB for 32 Bit systems and 256 MB for 64 Bit systems.

By Default, Low Memory Message 1 is set to 70 Percent and will show the Green Lock icon within a Yellow Circle when memory usage by file based write filter has reached that threshold (70 Percent of Threshold Size).

By Default, Low Memory Message 2 is set to 95 Percent and will show the Green Lock icon within a Red Circle when memory usage by file based write filter has reached that threshold (95 Percent of Threshold Size).  At that point the system will reboot in 120 seconds.

Memory Usage by File Based Write Filter Reached a Critical Warning Level notification will usually appear on systems that have installed applications locally other than the very basic clients used to connect to a virtual environment.

In our case, the HP T620 thin client was displaying the Memory Usage by File Based Write Filter Reached a Critical Warning Level notification after installing several applications locally such as printer drivers for locally installed printers, Adobe Acrobat Pro, Symantec Endpoint Protection client, Teamviewer and updating Internet Explorer to the latest version.  The issue was promptly resolved by increasing the RAM for FBWF Cache Usage (MB) from the default threshold size of 128 MB to 256 MB on a 32 Bit system.

As a best practice, you don’t want to install these type of applications on a thin client to begin with.


#fat-client-fbwf, #hp, #hp-t620, #low-memory-message-1, #memory-usage-by-file-based-write-filter-reached, #memory-usage-by-file-based-write-filter-reached-a-critical-warning-level-notification, #t620, #thin-client-fbwf, #virtualization-2, #windows-7-embedded

Surface Pro stuck on Surface Screen and Won’t Turn On

For a Surface Pro 3 that is stuck on the Surface screen and won’t turn on, holding down the + Volume button and the Power button for 15 seconds may fix the problem for you.  There are other ways you can try and fix a Surface Pro stuck on Surface Logo screen that won’t start up.  For example, holding down the power button for 30 seconds and then powering back on has worked for me when failed updates have caused the Surface Pro to get stuck on Surface logo screen in the past.  This time around, that did not work.  A quick Google search brought me to this comment section where others were experiencing the same problem with the Surface Pro stuck on Surface Logo screen

What ended up working for me was a two button shutdown. Turn it on – when you get stuck with just the Surface logo, press and hold the Volume Up + the Power button for at least 15 seconds. My screen shut off almost instantly – however, it vibrated about 10 seconds later. Then wait 30 seconds and press the Power button to start it back up.


#surface-pro-stuck-on-surface-logo-screen, #surface-pro-stuck-on-surface-screen, #surface-pro-wont-start-up, #surface-pro-wont-turn-on

XenApp 7.6 All-In-One Printer and Scanner Support – Twain Redirection and Auto-Create Client Printers

Citrix has made some improvements when it comes to printing on XenApp 7.6.  Coming from a XenApp 5.0 farm where the print spooler had to be restarted at least once a day, I’m glad to report no current issues exist in our XenApp 7.6 site.  As noted in a previous post: XenApp 7.6 – ThinPrint .Print Engine – Printer Issues – Windows can not connect to the printer 0x00000057, printing issues in XenApp 5.0 could usually be traced back to incompatible print drivers.  A solution that worked great in XenApp 5.0 and we later incorporated to our XenApp 7.6 site was the use of Cortado’s Thin Print V-Layer technology.  V-Layer allowed us to virtualize all network printers on our print server and use only one driver supplied in ThinPrint, the TP OutPut Gateway Driver.  This one driver was installed on all XenApp servers thus eliminating the need for native print drivers.

Driver incompatibility presented us with a challenge in XenApp 5.0 of not being able to support All-In-One Printers in a Citrix XenApp session.  Organizations coming from a non-virtual computing solution sometimes find they have invested significantly in devices that may not necessarily be recommended in a Citrix XenApp environment.  This was the case when we moved to XenApp 5.0 some time back.  While replacing older PCs with thin clients, we found several of these had locally installed All-In-One printers.  The use of All-In-One printers was a determining factor in whether or not a PC could be replaced with a thin client; the latter being preferred over a PC for for ease of deployment, management and reduction of IT support overhead.

On XenApp 7.6 I sought to address the need for supporting All-In-One printers by implementing Twain Redirection and configuring Auto-Create Client Printers.

For supporting printer functionality of All-In-One printers in XenApp 7.6, I have enabled Auto-Create Client Printers via a Citrix Policy.  Auto-Create Client Printers maps printers that are installed locally on the client machine and makes them available to the user within the Citrix XenApp session.  The printer, by default, is created using the Citrix Universal Printer driver.  For most of our users, this has been disabled so as to minimize the possibility of printing issues due to the use of drivers other than the TP OutPut Gateway.  One Citrix policy applied to all users in the Domain disables Auto-Create Client Printers.  A separate policy was created that enables Auto-Create Client Printers.  This second policy is placed higher up in the policies list to give it priority over the one that disables client printer auto-creation for everyone else.  The policy that allows client printer auto-creation is applied only to a few users that have All-In-One printers installed locally on the client machine and is configured to auto-create the client’s default printer only .

For scanner support in XenApp 5.0 we had been using RemoteScan.  RemoteScan server software and client software enabled the use of scanners for virtual environments.  While it worked for the most part, we often had issues with the software loading too slow.  Another problem was that scanners sometimes went undetected on the XenApp servers.  And lastly, keeping track of licensing became a problem when re-purposing thin clients for use by other departments.  Twain Redirection proved a viable and stable alternative in XenApp 5.0 and is what we have implemented in XenApp 7.6.  Twain Redirection works with All-In-One Printers as the server OS is able to detect the scanner so long as the client machine has a Twain driver installed.  A policy was created and Client Twain Device Redirection was set to Allowed.  Twain Compression Level was configured to Medium.

Having created policies for Twain Redirection and Auto-Create Client Printers has allowed us to support All-In-One printer and scanner functionality in XenApp 7.6.  Thus, we are no longer limited to which workstations can be replaced with thin clients.  Still, due to system requirements, choosing the appropriate thin client is key when replacing a PC that has a locally installed All-In-One printer.  The HP T620 thin client runs Windows 7 Embedded and has more resources than its predecessors, the HP T610 and HP T5740.  HP T620 is what we are currently using.  Remember to download and install basic Twain drivers for the All-In-One printers to use with thin clients and not the full software version.  Lighter is better.

#auto-create-client-printers, #hp-t620, #t620, #twain-redirection, #windows-7-embedded, #xenapp-7-6-all-in-one-printer, #xenapp-7-6-auto-create-client-printers, #xenapp-7-6-client-printers, #xenapp-7-6-client-scanner, #xenapp-7-6-twain-redirection

Acrobat Pro 9 Online PDF Printing Issue in IE10 and IE11 Web Browsers

This problem may or may not be specific to Windows 7.  In this case, Windows 7 embedded is installed on an HP T620 thin client.  The user logs in to a web application using Internet Explorer 10 and Internet Explorer 11.  On the web application, the user has access to PDF files that open in the IE browser.  When trying to print a PDF from IE10  or IE11 web browser, the Printer dialog box appears corrupt and is unresponsive.

A workaround is to open Adobe Acrobat Pro > Edit > Preferences > Internet and uncheck Display PDF in browser. This will load the online PDF in Adobe Acrobat Pro 9 instead of the IE10/ IE11 web browser.  However, if the user needs to interact with the PDF form in other ways other than just printing, such as signing the form with a signature pad or submitting it online, this workaround will have disabled that functionality.  In that case, upgrading to a more recent version of Adobe Acrobat Pro will be required to fix the Acrobat Pro 9 online PDF Printing issue in IE10 and IE11 web browsers.

#acrobat-pro-9-online-pdf-printing-issue, #adobe-acrobat-pro-9-web-printing-issue, #display-pdf-in-browser, #hp-t620, #pdf-printing-issue-ie11, #pdfprinting-issue-ie10, #printing-pdf-online, #t620, #windows-7