I have created a high priority deny for the following rule but I would for this rule to stop popping up on all the workstations, simply because the flag is always waving for all the users.
4/18/2006 8:26:13 AM: The process 'C:\WINDOWS\system32\svchost.exe' (as user NT AUTHORITY\SYSTEM) attempted to communicate with x.x.x.x on UDP port 1900. The attempted access was to initiate a connection as a client (operation = CONNECT). The operation was denied.
What other changes neeed to be made so that users do not see this process at all?
Disable UPNP and SSDP on the machine. check out this website for more info: http://www.grc.com/unpnp/unpnp.htm
Just about all of our machines have this enabled, I was hoping that CSA could stop this, which it has but also not cause the message to post on the machine. I wanted to user to not be notifed of this process being denied.
This rule for the svchost.exe has been quiet on the CSAMC but I'm trying to silent this notice so the end users do not see a flag waving from this deny.
I did however check apply "take precedence over other Hight Priority Deny Rules" but same result.
We were inundated with help desk calls when we migraged from 4.0 to 4.5.1, all because of the "flag waving" and balloon messages. I ended up emailing our clients a very generic explanation about "unnecessary network traffic" which would be "reduced over time". I included several screen shots for illustration also.
I also included instructions on how to "disable balloon messages" on the agent gui.
This seemed to satisfy most people.
Your only other option would be to deploy the agent without the flag visible to the end user.
I'm basically having the same problem where my users are going nuts because of the balloon messages and flag waving all day long.
I guess that will be my next step, sending out an email notifing the user community of unnecessary network traffic.
Again, I was just hoping that I could silence these notices with a rule.
You can silence the flag unless you have another network access control rule set to log for incoming connections:
If you have one rule set to deny incoming connections and log them, users will see the flag waving for all of them. You must create another rule that is set to deny (not high priority deny) acting as a server for a specific port, set to not log and set to take precedence over other deny rules.
I know this works because we do it here for the UPNP/SSDP services. The rule is set to deny svchost.exe from accepting connections on port 1900, not to log and to take precedence over other deny rules.
The only time this doesn't work is when machines are in test mode and then the only place you see messages is on the MC.
If this didn't work we would have hundreds of these flags waving every day.
I've had the same problem and there is no fix. Per the CSA users guide for 4.5, they've added the following bit of 'functionality':
"No network access control rule denial events are logged for any UDP port
resulting from multicast packet signals. (If a collection of hosts have the same
network access control rule and a broadcast such as UDP/138 were denied, then
event messages would inundate CSA MC.) "
This is incredibly short-sided not to provide the means to quiet these events agent-side.
You can quiet them for all agents server side in all CSA versions and agent side for individual hosts in 126.96.36.199 and later by using the workaround in CSCeg87151.
You must be logged in with your CCO login and use the bug toolkit to see it.
Is doing it server side not an option?
We did it and it's much quieter for everyone.