High-risk intrusion detections for Port 0 with blank Targeted Application and Host Name fields
search cancel

High-risk intrusion detections for Port 0 with blank Targeted Application and Host Name fields


Article ID: 162338


Updated On:


Symantec Products


You are receiving email alerts for "High-risk Intrusion Detections" with a Targeted Port Number of 0, a blank Targeted Application and a blank Targeted Host Name.  You also see intrusion events on the Hosted Endpoint Portal with blank "Attacker URLs", Targeted Port of 0 and "No Data Available" in the Application column.

This only affects Server Operating Systems with the Endpoint Protection Small Business Edition (Hosted) product (SEP SBE(Hosted) -or- SEP SBE.Cloud).

A high-risk intrusion was detected on ComputerName within group Default Group on 9/1/2015 5:26:54 PM.

Intrusion Name
Attack: an intrusion attempt was blocked.

Targeted Application

Targeted IP

Targeted Port Number

Targeted Host Name



Symantec is aware of this issue and will update this document when a solution becomes available.  Please subscribe to this article to be notified of any updates.

To work around this issue, review the agent logs to find information about the event.

1. Open C:\ProgramData\Symantec.cloud\Logs\6000\SEPAgent.log (You may need to un-hide hidden directories first: http://windows.microsoft.com/en-us/windows/show-hidden-files#show-hidden-files=windows-7)

2. Search for the following: "an intrusion attempt was blocked

Things to look for:

localIP="<number>"  * (IP of the computer being attacked)
remoteIP="<number>" * (IP address of the origin of the attack)
signature="<signature>" ** (This is the name of the IPS detection)

* The IP addresses are in decimal notation. There are various calculators available online that will convert these values to IPv4 and IPv6 addresses.
** More details on attack signatures can be found with our Security Response information: http://www.symantec.com/security_response/attacksignatures/