Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?

  • 1.  Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?

    Posted Mar 23, 2014 10:25 PM

    Afternoon,

    At my company we have a SEPm infrastructure configured with two SEPm servers and just over 1000 SEP client endpoints. We are required to upgrade our clients from 11.0.X to 12.1.X now that support for 11.X is ending soon. We've had it long before I joined the company and I'm trying to fix some issues we've been having.

    We've been doing some testing over the last 3-6 months and keep running into problems with how the 12.1.X SEP client is handling WMI traffic, specifically relating to the Microsoft volume activation management tool (VAMT) and a few other monitoring type client applications.

    Our SEPm is the latest version (12.1.4a) and the majority of our clients are on 11.0.5. We have upgraded a select test group to all releases of 12.1 to test (at different times), but each has had the same issue.

    If the endpoint is running 11.0.X, we have no issue with the VAMT (or any WMI query for that matter), but as soon as we replace SEP with 12.1.X, WMI traffic seems to be blocked. If we un install it and revert to the previous version, WMI behaves as we expect.

    We have NTP installed on the endpoints, but the firewall is disabled globally (purely by no enforced firewall policy from SEPm). So, theoretically, the firewall should not be blocking anything; but our experience is saying otherwise.

    This is an issue blocking our client upgrade because we use WMI for numerous things on all our endpoints (desktops, laptops and servers). Any help anyone can provide will be greatly appreciated.

    Trent.



  • 2.  RE: Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?

    Posted Mar 23, 2014 10:37 PM

    What happens if you remove the fw component instead of just withdrawing the policy?



  • 3.  RE: Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?

    Posted Mar 23, 2014 11:15 PM

    Is there a logs of blocking with your SEP clients? If there are blockings, you can exclude it in your excemption lists or modify and allow that connections in your Firewall rule applied to your clients.

     

    Regards,

    JM



  • 4.  RE: Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?

    Posted Mar 23, 2014 11:24 PM

    I've not seen any entries as yet, though I will have a further look there. As far as allowing connections, we do not have a policy applied for the firewall, so I'm unable to do that without enabling a policy and enforcing many rules...

    As far as I understand it, the NTP firewall should be in flow through mode.



  • 5.  RE: Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?

    Posted Mar 23, 2014 11:25 PM

    I've not attempted that as yet... I'll try removing it completely and see what happens.



  • 6.  RE: Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?

    Posted Mar 23, 2014 11:27 PM

    Sorry.. getting used to the forum. I'll edit this with comments when I have some results.



  • 7.  RE: Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?

    Posted Mar 24, 2014 12:07 AM

    On further investication, the short answer is No.

    I just tested a poll using VAMT on a 12.1.4 client and checked the logs. Both the NTP Traffic and Packet Logs are empty.

    As are the PTP Threat and System Logs, the AV Risk logs and the Client Management Security and Temper Protection Logs. The only entries of any type are in the AV System and Scan Logs and the Client Management System Log.

    So there is nothing that can be applied to a firewall sorry.



  • 8.  RE: Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?

    Posted Mar 24, 2014 12:13 AM

    Hello,

    What happend when you will be Disabled/Remove NTP feature ?
     

    Try to disabled/remove NTP feature for testing one or two sep client.

     

    To disable the Network Threat Protection, you can try these -

    Navigate to

    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\smc_engine_status

    If the value of smc_engine_status is "0" that means NTP is Disabled

    If the value of smc_engine_status is "1" that means NTP is Enabled

    OR

    Disable Network Threat Protection access on SEP client.

     

    How to uninstall/remove the Network Threat Protection feature from Symantec Endpoint Protection

    Article:TECH102869 | Created: 2007-01-08 | Updated: 2011-01-26 | Article URL http://www.symantec.com/docs/TECH102869

     



  • 9.  RE: Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?

    Posted Mar 24, 2014 12:17 AM

    _Brian, I have removed the NTP portion of SEP (and kept the remaining installation as is) from a 12.1.4 client and tested access.

    No change.



  • 10.  RE: Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?

    Posted Mar 24, 2014 12:22 AM

    Hey James007, I have just completed this test by removing the NTP feature via the control panel.

    It made no difference and WMI is still blocked.



  • 11.  RE: Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?
    Best Answer

    Posted Mar 24, 2014 12:25 AM

    See this articles

    WMI traffic is blocked by the Windows Firewall even though it's being controlled by SEP

    Article:TECH174692 | Created: 2011-11-17 | Updated: 2012-01-03 | Article URL http://www.symantec.com/docs/TECH174692


  • 12.  RE: Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?

    Posted Mar 24, 2014 01:13 AM

    OK. So after disabling the windows firewall, VAMT is working. Even after reinstalling NTP.

    I have questions...

    You're saying we have to disable the Windows firewall on all clients to get SEP to work correctly?

    That tech article has been around for a long time and it only provides a workaround. SEP 11.X is going to be unsupported this time next year, will this be resolved in another release before end of 11.X support?



  • 13.  RE: Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?
    Best Answer

    Posted Mar 24, 2014 01:24 AM

    Still symantec Team investigating the issue you can Subscribe this articles and wait next update.

     

    See this articles if help you.

    Configuring the firewall to allow WMI connection

    Article:HOWTO47571 | Created: 2011-03-29 | Updated: 2011-04-18 | Article URL http://www.symantec.com/docs/HOWTO47571

     



  • 14.  RE: Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?

    Posted Mar 24, 2014 01:43 AM

    It seems to me that that is quite unacceptable.

    For Symantec to have an issue like this (that seems quite fundamental to the base OS) and it not be resolved for three years?

    I would suggest that it's likely not going to be fixed... Though I honesly hope that is not the case.

     



  • 15.  RE: Default behaviours difference between 11.0.X and 12.1.X SEP (WMI)?

    Posted Mar 24, 2014 01:44 AM

    Thanks for the prompt response everyone, even though there is only a workaround, it was nce to have quick assistance.