Threat 30861 "Microsoft Windows Server Service NetrServerGetInfo Opnum 21 Access Attempt" has a severity level of "Informational" but a default action of "drop-reset". Is it common for such a low sev level threat to have such a drastic response? It seems like all of the others that I've spot checked have had an "alert" response.
It's an older threat from 2009 that was updated in May 2017, maybe something related to that?
I just opened a case today because this was resetting the connections of our Global Protect users when they would try to access internal network shares. Seems like a false positive to me. I'm collecting info about the connections for PA Support so they can assess it further.
This is boning me as well, causing a fair amount of havok. Any word from PA on this?
Something as simple as typing "\\servername" in the windows10 search bar to browse for shares will cause a user machine to hang for a bit and the palo alto logs a blocked threat..
We are also seeing it randomly when a user attaches a file to an email in outlook and it causes the entire app to crash.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!