All across my network random computers have been receiving a ton of McAfee HIPS blocks that state "Blocked outgoing UDP Source random IP netbios (137) destination IP". The only way we can resolve this is by putting the computers in rule exception which we can't have for long so essentially the computers are useless. I have already verified their place in DNS and DHCP and have ensured no duplicate IPs or hostnames exist. Any other thoughts would be greatly appreciated.
Asked
Active
Viewed 127 times
0
-
*Do* the computers spill out those packets? Check with wireshark or tcpdump (ideally using a monitor port on a switch) If yes, you may have a "unwanted software" problem. Windows does no send "random ip" packets, even with UDP. – bjoster Jun 07 '21 at 20:23
-
I've used terminal monitor on the switch of the computer with the issue however I never have seen denials appear. When refreshing HIPS activity there are 5-10 more errors each time I press refresh consecutively. – techbuffalo Jun 08 '21 at 17:40
-
I don't know what you mean by "terminal monitor", but you will have to *trace that packets* to be sure if they are real and where they are coming from. – bjoster Jun 09 '21 at 14:45
1 Answers
0
Ports 137 138 139 are traditionally NetBIOS over TCP. This is obsolete in a network capable of modern SMB with DNS over IP.
Disable NetBIOS over TCP/IP, in the network stack of Windows hosts, or via a DHCP option. Anything that requires NetBIOS to function is likely quite old and requires special attention to secure.
John Mahowald
- 32,050
- 2
- 19
- 34
-
I was able to disable it through the network controls however after restarting the computer we still get the same blocks. Is there a way to do this via the port instead? All of our blocks show ports 137/138. – techbuffalo Jun 07 '21 at 15:14
-
Capture packets, examine them, and do some tracing (procmon) to determine what the hosts are doing. – John Mahowald Jun 07 '21 at 19:22