SEP Client …Block Traffic From IP Address… Event ID 8003, 8009, and 8019 Master Browser

SEP Client may sometimes block traffic from IP Address on the Local Area Network when workstations are part of a Workgroup and not Domain joined due to Master Browser/ Computer Browser service and will generate Event ID 8003, Event ID 8009, and Event ID 8019.

 

Symantec Endpoint Protection

Port Scan attack is logged

The client will block traffic from IP address xxx.xxx.xxx.xxx for the next xxx seconds (from xx/xx/xxxx to x/xx/xxxx).

Symantec Intrusion Prevention services on a PC has blocked traffic from a workstation on the same LAN.

If the workstations are not domain joined and are part of a Workgroup in the local area network, and are running a SEP client, this may trigger a false positive on one or more workstations.  This is due to the fact that all Windows computers still broadcast traffic to each other because they are all part of a Workgroup on the same LAN.  For a local area network Workgroup, a single workstation is elected (by all other workstations in the LAN) as Master Browser; this happens automatically between Windows machines on the same LAN that are in a Workgroup.  If another PC on the LAN attempts to become Master Browser for the Workgroup, an Event ID 8003 will be logged on the machine that is the current Master Browser.

Log Name:     System
Source:         bowser
Date:          x/x/xxxx
Event ID:      8003
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:     ComputerNameHere
Description:
The master browser has received a server announcement from the computer HostNameHere that believes that it is the master browser for the domain on transport NetBT_Tcpip_{xxxxx}. The master browser is stopping or an election is being forced.

On the computer attempting to become the Master Browser, you will find Event ID 8009 and Event ID 8019 that will have been logged at around the time of the incident.  It is a false positive caused by background network traffic between both computers competing for the Master Browser role on the LAN.

Future Symantec Endpoint Protection client IPS …block traffic from IP address… notifications caused by the Master Browser/ Computer Browser service related to Event ID 8003, Event ID 8009 and Event ID 8019 can be prevented by going to Control Panel > Administrative Tools > Services and locating “Computer Browser”.  If the service is “Started”, double-click it and set to “Disable”.  This will prevent this type of background communication from taking place between both workstations.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s