Loading Profile...
False Positive: MISC MS Terminal Server no encryption session initiation attempt
Upgraded to Sunbelt Firewall 4.6 Beta and suddenly my Remote Desktop Connection host stopped working. The log says "MISC MS Terminal Server no encryption session initiation attempt". I believe this is the False Positive DOS detection attempt. Can you help?
I’m confused
1 person has this question
I have this question, too!
Tell me when someone answers.
The more people who ask this question, the more it gets noticed.
The more people who ask this question, the more it gets noticed.
-
Inappropriate?Are you getting any pop-ups from the firewall regarding a DOS attack? To make sure your Remote Desktop Connection has full access through the firewall, under Network Security, change "Generic Host Process" to "ASK" or "Permit" across the board.
Jason Layman
Tier 2 Tech -
Inappropriate?Hi Jason - yes, I have given RDC/Generic Host Process full access for internal hosts, I even set up the packet filter specifically. It has been working perfectly fine before upgrade to 4.6 Beta.
I also wasn't getting any pop ups from the firewall, it just logged under DOS attack. -
Inappropriate?Something may have gone wrong with the configuration file during the upgrade since it is a little different than the previous versions. Navigate to the C:\Program Files\Sunbelt Software\Personal Firewall\Config folder. Delete the "spf.cfg" file in there. This will reset your configuration. Then recreate the filter you set up for RDC within the firewall.
Jason Layman
Tier 2 Tech -
Inappropriate?hey Jason
I uninstalled 4.6 beta, deleted the sunbelt directory, and registry key and installed the latest stable release 4.6.1638.
Guess what, still unable to do Remote Desktop (RDC) from other machine to this machine.
The NIPS long kept saying "MISC MS Terminal Server no encryption session initiation attempt"
Please help!
I’m frustrated
-
Inappropriate?Ok, in the NIPS Advanced section, change Medium intrustions to "Allow." If that dosnt work, turn NIPS off completely. If NIPS is the culprit I would like to get your logs so we can get this resolved permanently.
1. First open SPF
2. Then under overview select preferences, then export
3. A window will popup, select the logs folder, then at the bottom of the window to the right of file name type in spf4, and hit save.
4. Next run the utility below, if you get any warnings about Windows Scripting or a Zip program you will need to allow them in order to successfully use this utility.
5. Once the utility is finished it will place a zip file on your dekstop, send this file into in a reply email as an attachment. You will also need to enter in your ticket id which is provided below.
[001-00-231260]
SPF support Utility
http://www.sunbelt-software.com/ihs/s...
Send the .zip file to support@sunbelt-software.com and reference ticket # 001-00-231260.
Thanks,
Jason Layman -
Inappropriate?I'm sorry, it seems the Support Utility link was cut short, use this one instead.
http://tinyurl.com/6lmuha
Thanks,
Jason Layman -
Inappropriate?I have this problem for incoming RDP connections to my PC (Windows XP SP3).
Those connections are blocked based "MISC MS Terminal Server no encryption session initiation attempt", details in MS01-52.
Permitting all (!) Medium priority intrusions "solves" the problem...
I think it started after upgrading to SPF 4.6.1845 and the following update of IDSRules for the NIPS rules. -
Inappropriate?Commenting out the line
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server ...
in Config\IDSRules\misc.rlk and enabling Medium priority intrusions apparently also solves the problem, while keeping NIPS enabled for medium priority intrusions. -
Inappropriate?That exactly what you need to do. I was trying to get your NIPS rules so I could edit them, but it seems you're one step ahead of me. If you need anything else, just let us know.
Regards,
Jason Layman
EMPLOYEE