Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Block SEP Policy Update

  • 1.  Block SEP Policy Update

    Posted Nov 11, 2013 12:01 AM

    I want to create a windows firewall rule to block SEP update its policy.

    I have modified some of SEP policy and I don't want it to connect to my company server to update the policy.

    I wanto to know about:

    1. Which executeable file (program) running when update policy running?

    2. What service needs to be blocked (if any)?

    3. What protocol and port used in updating policy?

     

    Thank you.



  • 2.  RE: Block SEP Policy Update

    Posted Nov 11, 2013 12:10 AM

    Hi,

     

    If you want to some of your sep client are not update policy you can create new group and move that particular system and not apply particular policy.

     

    Which Communication Ports does Symantec Endpoint Protection 11.0 use?

     

    Article:TECH102416 | Created: 2007-01-06 | Updated: 2012-12-24 | Article URL http://www.symantec.com/docs/TECH102416

     



  • 3.  RE: Block SEP Policy Update

    Posted Nov 11, 2013 12:18 AM

    1. Which executeable file (program) running when update policy running?

    ---->SMC.exe

    2. What service needs to be blocked (if any)?

    ----->Symantec management client service

    3. What protocol and port used in updating policy?

    ----->TCP port 8014 ( or whatever port you used during SEPM install) if you block this port then there wont be any update from sepm to client , you can use Windows firewall to block this port.

    Bocking Smc will block policy update and also virus definition update.  The communication between SEPM and clients will happen based on pull mode or push mode. If you do not want clients to communicate with sepm for some period of time then you can put them in different group and assign them PULL mode with higher interval.

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55197

     

     



  • 4.  RE: Block SEP Policy Update
    Best Answer

    Posted Nov 11, 2013 06:11 AM

    The interesting thing about this is, I've tried to block port 8014 using the SEP firewall. It doesn't work. Client/server communication still takes place. I don't believe there is anything in the public knowledgebase but something must be hardcoded.

    You can try the Windows firewall to block it.

    SMC.exe will need to be blocked



  • 5.  RE: Block SEP Policy Update

    Posted Nov 11, 2013 08:27 AM
      |   view attached

    I have tried to block TCP port 8014 using windows firewall but the policy update still can be run successfully.

    The thing is I want SEP not to be able to update its policy, but I want it to still be able to update its database.

     

    Anyone can tell me the correct windows firewall rule to do this?



  • 6.  RE: Block SEP Policy Update

    Posted Nov 11, 2013 08:31 AM

    So it looks like you're using SSL (port 443). Have you tried blocking 443.

    Also, is there a specific reason you need to block this? This is an unusual step to take.



  • 7.  RE: Block SEP Policy Update

    Posted Nov 11, 2013 10:28 AM

    Whatever is the reason, it is good it does not work... if you block SEP communication with the same SEP firewall, how would you like to restore it when the block is not needed anymore?



  • 8.  RE: Block SEP Policy Update

    Posted Nov 11, 2013 10:38 AM

    Hello,

    all the communication between clients and SEPM is on port 8014 (or 443 if SSL is used). You can't block only the policy traffic (and not the rest), neither you can block one only group of clients, i.e. all or nothing; that is, the easiest solution is to block the incoming connections to port 8014 on the SEPM server!

    You need to use the Windows Firewall. If you want to block only some specifict clients, enter their IP addresses/hostnames in that firewall rule.

    You should not do it by using the SEP firewall otherwise you won't be able to revert it back.

    Anyway, why don't you just fix your wrong policy?



  • 9.  RE: Block SEP Policy Update

    Posted Nov 11, 2013 11:13 PM

    So there is no right or wrong policy in my SEP.

     

    The reason why I want to do this is because my company policy requires us to encrypt all usb storage device using bitlocker in order to be able to write to it.

    I have the policy to bypass this requirement, so I can write to usb without having it encrypted by bitlocker.

    But once I have connected to the internet, the policy update runs and update itself with the company policy.

     

    I just want to disable this update policy activity. I think I can block it using windows firewall if I know the protocol, port, etc.



  • 10.  RE: Block SEP Policy Update

    Posted Nov 11, 2013 11:43 PM

    Is this on your laptop? I think its getting update from Internet , SEPM is published over internet?

    In this case you can try blocking smc.exe as a program using windows firewall..

     

     



  • 11.  RE: Block SEP Policy Update

    Posted Nov 12, 2013 06:11 AM

    Are you a SEP administrator or just a user?

    If you are not a SEP admin, you should talk to one of them and solve the issue at its root by changing the SEP policies to match what you are allowed to do on the paper.

    Furthermore, are you allowed to import custom SEP policies in your SEP agent? Anyway, to stop the connection you need to stop the outgoing traffic to port 8014 (protocols are TCP at transport layer and HTTP at application layer).



  • 12.  RE: Block SEP Policy Update

    Posted Nov 13, 2013 12:37 AM

    I have found a way to block SEP update policy.

    Thanks all.



  • 13.  RE: Block SEP Policy Update

    Posted Nov 13, 2013 07:38 AM

    Probably why it is hard coded to not allow 8014 to be blocked via SEP