"Informational" threat has default action of "drop-reset"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

"Informational" threat has default action of "drop-reset"

L1 Bithead

Threat 30861 "Microsoft Windows Server Service NetrServerGetInfo Opnum 21 Access Attempt" has a severity level of "Informational" but a default action of "drop-reset".  Is it common for such a low sev level threat to have such a drastic response?  It seems like all of the others that I've spot checked have had an "alert" response.

 

It's an older threat from 2009 that was updated in May 2017, maybe something related to that?

4 REPLIES 4

L0 Member

I just opened a case today because this was resetting the connections of our Global Protect users when they would try to access internal network shares. Seems like a false positive to me. I'm collecting info about the connections for PA Support so they can assess it further.

Interesting.  Did PA provide a resolution?

L0 Member

This is boning me as well, causing a fair amount of havok. Any word from PA on this?

 

Something as simple as typing "\\servername" in the windows10 search bar to browse for shares will cause a user machine to hang for a bit and the palo alto logs a blocked threat..

Capture.JPG

 

We are also seeing it randomly when a user attaches a file to an email in outlook and it causes the entire app to crash.

We ended up just changing the default action to alert for that particular "threat". Probably not the best solution, but it is what it is.

palosetting.png

  • 9466 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!