Just about all of our machines have this enabled, I was hoping that CSA could stop this, which it has but also not cause the message to post on the machine. I wanted to user to not be notifed of this process being denied.

Change your rule to deny, not log and take precedence over other deny rules.

That should stop it quietly...

Tom S

This rule for the svchost.exe has been quiet on the CSAMC but I'm trying to silent this notice so the end users do not see a flag waving from this deny.

I did however check apply "take precedence over other Hight Priority Deny Rules" but same result.

And the rule is set not to log, correct?

That is correct, the rule is set for no logging.

thx

Adam,

We were inundated with help desk calls when we migraged from 4.0 to 4.5.1, all because of the "flag waving" and balloon messages. I ended up emailing our clients a very generic explanation about "unnecessary network traffic" which would be "reduced over time". I included several screen shots for illustration also.

I also included instructions on how to "disable balloon messages" on the agent gui.

This seemed to satisfy most people.

Your only other option would be to deploy the agent without the flag visible to the end user.

I'm basically having the same problem where my users are going nuts because of the balloon messages and flag waving all day long.

I guess that will be my next step, sending out an email notifing the user community of unnecessary network traffic.

Again, I was just hoping that I could silence these notices with a rule.

Thanks!

You can silence the flag unless you have another network access control rule set to log for incoming connections:

If you have one rule set to deny incoming connections and log them, users will see the flag waving for all of them. You must create another rule that is set to deny (not high priority deny) acting as a server for a specific port, set to not log and set to take precedence over other deny rules.

I know this works because we do it here for the UPNP/SSDP services. The rule is set to deny svchost.exe from accepting connections on port 1900, not to log and to take precedence over other deny rules.

The only time this doesn't work is when machines are in test mode and then the only place you see messages is on the MC.

If this didn't work we would have hundreds of these flags waving every day.

Tom S

I've had the same problem and there is no fix. Per the CSA users guide for 4.5, they've added the following bit of 'functionality':

"No network access control rule denial events are logged for any UDP port

resulting from multicast packet signals. (If a collection of hosts have the same

network access control rule and a broadcast such as UDP/138 were denied, then

event messages would inundate CSA MC.) "

This is incredibly short-sided not to provide the means to quiet these events agent-side.

You can quiet them for all agents server side in all CSA versions and agent side for individual hosts in 5.0.0.187 and later by using the workaround in CSCeg87151.

Tom

I searched for that on Cisco.com and google and came up short on both. Where do I download that document?

Thanks.

You must be logged in with your CCO login and use the bug toolkit to see it.

Is doing it server side not an option?

We did it and it's much quieter for everyone.

Tom