Endpoint Protection

Hi.

I recently installed SEP 12.1.6 on Windows 10 Home 64bit and I keep getting SVCHOST and NTOSKRNL blocks from SEP. I am on an unmanaged copy of SEP. I have tried to follow what many Symantec guides have posted online, but none of them have offered a working soultion. If somebody could assist with allowing both of these connections it would be helpful. I do not want to just turn off notifications or IPv6, but rather fix the problem and allow these types of connections.

Are you using v12.1.6 MP5 or newer? This version has more support for Windows 10.

If you look at your Traffic log, what is the exact traffic that is being blocked, source/destination and port?

Symantec reports that I am running 12.1.6 (12.1 RU6 MP6) build 7061.​

As for the traffic log here is the information:

12200 9/27/2016 8:46:28 AM Blocked 10 Outgoing ICMP [type=0x3, code=0x3] 209.18.47.61 14-22-DB-35-7C-2D 3 192.168.7.30 0C-8B-FD-BA-BC-79 3  Maste JUSTIN-DELL Default 8 9/27/2016 8:43:16 AM 9/27/2016 8:45:25 AM Block_all 

12162 9/27/2016 8:40:40 AM Blocked 3 Incoming UDP FE80:0:0:0:54B:124B:3B3:2D50 90-2B-34-52-D8-2E 51966 FF05:0:0:0:0:0:0:C 33-33-00-00-00-0C 3702 C:\Windows\System32\svchost.exe LOCAL SERVICE NT AUTHORITY Default 2 9/26/2016 10:41:40 PM 9/26/2016 10:41:40 PM Block Web Services Discovery 
 

The first one is blocking outbound ICMP type 3 code 3. This was actually caught by the last rule in the stack 'Block_all'

The second one is blocking inbound web service discovery. The is a rule in the default policy.

If you feel you need these allowed then you have to create rules to allow them.

Hi. Sorry, but I am new Symantec. Can you please let me know what the exact rule is that I need and where I can add it?

I don't know these are somethig you want to change.

There is one rule called Block Web Services Discovery, these packets are inbound to your machine. Do you run web services on your machine? It could be someone externally scanning your machine.

The second rule, called Block_all is not configurable. The rule fired because it detected outbound ICMP type 3 code 3 to 209.18.47.61, type 3 code 3 means the destination port is unreachable. You would need to create a rule to allow this to the destination host.

How to create a firewall rule on unmanaged Endpoint Protection client

I have another question about this. Why don't you recommend that I not allow these two items? Also, would you recommend that I just turn off the notifications instead? Can you post a guide on how to do that as well?

The unmanaged version does not have the ability to disable notifications on firewall rules so you're stuck with either allowing the traffic or dealing with the alerts.

If you trust what's going on then create the rules to allow the traffic. When I see an external remote IP attempting to scan my system, I assume it is malicious. In terms of the ICMP traffic, perhaps it is an application on your network causing it.