Threat 30861 "Microsoft Windows Server Service NetrServerGetInfo Opnum 21 Access Attempt" has a severity level of "Informational" but a default action of "drop-reset". Is it common for such a low sev level threat to have such a drastic response? It seems like all of the others that I've spot checked have had an "alert" response.
It's an older threat from 2009 that was updated in May 2017, maybe something related to that?
I just opened a case today because this was resetting the connections of our Global Protect users when they would try to access internal network shares. Seems like a false positive to me. I'm collecting info about the connections for PA Support so they can assess it further.
This is boning me as well, causing a fair amount of havok. Any word from PA on this?
Something as simple as typing "\\servername" in the windows10 search bar to browse for shares will cause a user machine to hang for a bit and the palo alto logs a blocked threat..
We are also seeing it randomly when a user attaches a file to an email in outlook and it causes the entire app to crash.
We ended up just changing the default action to alert for that particular "threat". Probably not the best solution, but it is what it is.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!