Event ID - 445

Port No445
Service NameMSRPC DCOM RPC BO (3)
RFC Doc0
ProtocolTCP
DescriptionThis signature detects attempts to exploit a buffer overflow in Windows RPC DCOM.
Reference LinkPort Number:445 Service Name:MSRPC DCOM RPC BO (3) Port:TCP
AttackAccording to Symantec

Resolution:
The following workaround has been suggested by the vendor.
The following ports should be blocked:
TCP/UDP Port 135
TCP/UDP Port 139
TCP/UDP Port 445
A reliable source has indicated that TCP port 593 is also a potential channel for attacks. Microsoft has not mentioned this port in their revised bulletin. Administrators are advised to filter access to it any other ports which are not necessary.
The Internet Connection Firewall in Windows XP or Windows Server 2003 will, by default, block inbound RPC traffic.
Disable DCOM on all affected machines
When a computer is part of a network, the DCOM wire protocol enables COM objects on that computer to communicate with COM objects on other computers. You can disable DCOM for a particular computer to help protect against this vulnerability, but doing so will disable all communication between objects on that computer and objects on other computers.
If you disable DCOM on a remote computer, you will not be able to remotely access that computer afterwards to reenable DCOM. To reenable DCOM, you will need physical access to that computer.
To manually enable (or disable) DCOM for a computer:
1. Run Dcomcnfg.exe.
If you are running Windows XP or Windows Server 2003 perform these additional steps:
* Click on the Component Services node under Console Root.
* Open the Computers sub-folder.
* For the local computer, right click on My Computer and choose Properties.
* For a remote computer, right click on the Computers folder and choose New then Computer. Enter the computer name. Right click on that computer name and choose Properties.
2. Choose the Default Properties tab.
3. Select (or clear) the Enable Distributed COM on this Computer check box.
4. If you will be setting more properties for the machine, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe.
To test if ncacn_http is running on port 80 (which may be an additional attack vector), telnet to port 80 and enter:
RPC_CONNECT ip address:593 HTTP/1.0

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.