Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
4707 Views 1 Reply Latest reply: Jan 31, 2011 10:35 AM by Kary Tankink RSS
kink80 Champion 472 posts since
Apr 6, 2009
Currently Being Moderated

Jan 31, 2011 9:22 AM

HIPS Event blocking incoming netbios-ns (137) and netbios-dgm (138)

I have a machine that has at least 1,000 events logged in the last 2 hours stating the following:

 

Description:  NT Kernel & System (ntoskrnl.exe)
Path:   C:\WINDOWS\SYSTEM32\NTOSKRNL.EXE
Message:  Blocked Incoming UDP -  Source 192.168.21.126: netbios-ns (137)  Destination 192.168.21.255 : netbios-ns (137)

 

Description:  NT Kernel & System (ntoskrnl.exe)
Path:   C:\WINDOWS\SYSTEM32\NTOSKRNL.EXE
Message:  Blocked Incoming UDP -  Source 192.168.22.84 : netbios-dgm (138)  Destination 192.168.22.255 : netbios-dgm (138)

 

I know that it is normal to see some of those entries in the logs but the fact that I have thousands is alarming. All of the IP's appear to be local IP's from my network and there are no events logged in the ePO server for this machine. Has anyone seen this type of activity before?

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010
    I know that it is normal to see some of those entries in the logs but the fact that I have thousands is alarming.

    A lot of NETBIOS traffic logged (blocked or allowed) is common for a Windows system.  You'll want to evaluate if this traffic should be allowed or blocked (is it causing any functionality issues).  If the traffic is not needed, then let the HIPS Firewall continue to block the traffic.  The reason you see all this blocked traffic is because you have the "Log all blocked" traffic enabled in the HIPS Activity Log.  This behaviour is normal.

     

    All of the IP's appear to be local IP's from my network and there are no events logged in the ePO server for this machine. Has anyone seen this type of activity before?

     

    Host IPS Firewall traffic is not logged to the ePO server.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points