Our security team has noticed our tipping point appliance blocking traffic between the server running the Netwrix Account Lockout Examiner and clients on the network. Tipping point is reporting this traffic as exploits, and the exploit is "MS-RPC Samba RPC Heap Overflow" which is part of the zero day initiative (ZDI-07-033)
We are running version 4.1.417 of the Netwrix Account Lockout Examiner on Windows server 2012.
This is the only software running on this server, and when I disable the Netwrix Account Lockout Examiner service the traffic to the clients stops.
I'm suspecting it has to do with the tool trying to verify the source of the bad password attempts/lockout, but wanted to see if I could get confirmation on this and that the traffic is normal and by design.