"Informational" threat has default action of "drop-reset"

Reply
Highlighted
L1 Bithead

"Informational" threat has default action of "drop-reset"

Threat 30861 "Microsoft Windows Server Service NetrServerGetInfo Opnum 21 Access Attempt" has a severity level of "Informational" but a default action of "drop-reset".  Is it common for such a low sev level threat to have such a drastic response?  It seems like all of the others that I've spot checked have had an "alert" response.

 

It's an older threat from 2009 that was updated in May 2017, maybe something related to that?

Highlighted
L0 Member

I just opened a case today because this was resetting the connections of our Global Protect users when they would try to access internal network shares. Seems like a false positive to me. I'm collecting info about the connections for PA Support so they can assess it further.

Highlighted
L1 Bithead

Interesting.  Did PA provide a resolution?

Highlighted
L0 Member

This is boning me as well, causing a fair amount of havok. Any word from PA on this?

 

Something as simple as typing "\\servername" in the windows10 search bar to browse for shares will cause a user machine to hang for a bit and the palo alto logs a blocked threat..

Capture.JPG

 

We are also seeing it randomly when a user attaches a file to an email in outlook and it causes the entire app to crash.

Highlighted
L0 Member

We ended up just changing the default action to alert for that particular "threat". Probably not the best solution, but it is what it is.

palosetting.png

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!