Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

I have created a high priority deny for the following rule but I would for this rule to stop popping up on all the workstations, simply because the flag is always waving for all the users.

4/18/2006 8:26:13 AM: The process 'C:\WINDOWS\system32\svchost.exe' (as user NT AUTHORITY\SYSTEM) attempted to communicate with x.x.x.x on UDP port 1900. The attempted access was to initiate a connection as a client (operation = CONNECT). The operation was denied.

What other changes neeed to be made so that users do not see this process at all?

13 REPLIES
New Member

Re: CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

Disable UPNP and SSDP on the machine. check out this website for more info: http://www.grc.com/unpnp/unpnp.htm

New Member

Re: CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

Just about all of our machines have this enabled, I was hoping that CSA could stop this, which it has but also not cause the message to post on the machine. I wanted to user to not be notifed of this process being denied.

Blue

Re: CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

Change your rule to deny, not log and take precedence over other deny rules.

That should stop it quietly...

Tom S

New Member

Re: CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

This rule for the svchost.exe has been quiet on the CSAMC but I'm trying to silent this notice so the end users do not see a flag waving from this deny.

I did however check apply "take precedence over other Hight Priority Deny Rules" but same result.

Blue

Re: CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

And the rule is set not to log, correct?

New Member

Re: CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

That is correct, the rule is set for no logging.

thx

New Member

Re: CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

Adam,

We were inundated with help desk calls when we migraged from 4.0 to 4.5.1, all because of the "flag waving" and balloon messages. I ended up emailing our clients a very generic explanation about "unnecessary network traffic" which would be "reduced over time". I included several screen shots for illustration also.

I also included instructions on how to "disable balloon messages" on the agent gui.

This seemed to satisfy most people.

Your only other option would be to deploy the agent without the flag visible to the end user.

New Member

Re: CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

I'm basically having the same problem where my users are going nuts because of the balloon messages and flag waving all day long.

I guess that will be my next step, sending out an email notifing the user community of unnecessary network traffic.

Again, I was just hoping that I could silence these notices with a rule.

Thanks!

Blue

Re: CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

You can silence the flag unless you have another network access control rule set to log for incoming connections:

If you have one rule set to deny incoming connections and log them, users will see the flag waving for all of them. You must create another rule that is set to deny (not high priority deny) acting as a server for a specific port, set to not log and set to take precedence over other deny rules.

I know this works because we do it here for the UPNP/SSDP services. The rule is set to deny svchost.exe from accepting connections on port 1900, not to log and to take precedence over other deny rules.

The only time this doesn't work is when machines are in test mode and then the only place you see messages is on the MC.

If this didn't work we would have hundreds of these flags waving every day.

Tom S

New Member

Re: CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

I've had the same problem and there is no fix. Per the CSA users guide for 4.5, they've added the following bit of 'functionality':

"No network access control rule denial events are logged for any UDP port

resulting from multicast packet signals. (If a collection of hosts have the same

network access control rule and a broadcast such as UDP/138 were denied, then

event messages would inundate CSA MC.) "

This is incredibly short-sided not to provide the means to quiet these events agent-side.

Blue

Re: CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

You can quiet them for all agents server side in all CSA versions and agent side for individual hosts in 5.0.0.187 and later by using the workaround in CSCeg87151.

Tom

New Member

Re: CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

I searched for that on Cisco.com and google and came up short on both. Where do I download that document?

Thanks.

Blue

Re: CSA 4.5.1.639 - svchost.exe and UDP 1900 UPNP

You must be logged in with your CCO login and use the bug toolkit to see it.

Is doing it server side not an option?

We did it and it's much quieter for everyone.

Tom

455
Views
19
Helpful
13
Replies