Endpoint Protection

Hello:

Current environment is as follows:

O/S 64bit System 7 SP1

Endpoint 21.1

Getting the following message ... end point blocks explorer autorun.inf ... microsoft technical support advise that SEP should be disabled when installing windows updates because SEP is blocking for example IE 9 security updates.

Questions:

Why am I getting the autorun.inf message from SEP? 

How do I allow autorun to execute?

Not sure I want to disaqble SEP when installing windows updates ... Is there an alternative approach to installing windows updates without turning off SEP?

Any advice/guidance will be greatfully received

Thanks

Hecanuck (FYI ... male canadian ... smile)

It sounds like you are using the Application and Device control policy. Blocking autorun is one of the options. Check the policy and you can turn this off if you need to.

Check this KB article for instructions:

The default Application Control rule to block Autorun triggers when a USB drive with no autorun.inf is connected

Article:TECH162983

|

Created: 2011-06-22

|

Updated: 2011-06-30

|

Article URL http://www.symantec.com/docs/TECH162983

 

Hello

By default, SEP 12.1 has an Application and Device Control rule enabled which will block the access to and creation of autorun.inf files. This is likely the cause of your issue. You could try disabling the rule as a quick test to confirm.

Disabling the Autorun.inf Rule in the SEPM

1. Login to the SEPM
2. Click Clients
3. Select the group your SEP client is in
4. Click the Policies tab (at the top)
5. Open your Application and Device Control Policy
6. Click Application Control
7. Remove the checkmark from Block access to Autorun.inf [AC9]
8. Click OK
9. Once the SEP client picks up the new policy, test it out.

 

let autorun.inf be disabled, instead double click on exe.

pete_4u2002

Sorry but I don't understand your recommendation can you be more specific.

Thanks

Hecanuck

as a best practise, block Autorun to trigger. So as an alternative to install patches, use the exe and manually double click.

Brian & Shish

SEP is an enterprise lic for faculty from my university ... I don't have SEP Manager Console on my system. Can I download the application and install locally?

Thanks,

Hecanuck

Sorry pete_4u2002 ... as you have by now realized I'm an igronant newbie ... I assume that you are suggesting that I exec autorun.exe at the time SEP displays the block msg ... is that correct?

Thanks,

Hecanuck

Yes SEP is installed as an Unmanaged Client.

Thanks,

Hecanuck

if it's a UnManaged Client then, Simply Disable the Network Threat Protection Policy by:

Please go into SEP Client interface.

Go into Status section.

Click on "Change Settings".

In the Change Settings section click on the Client management --> "Configure Settings" button. In Client Management Settings screen remove the UNcheckmark for "Enable Application and Device Control".

 

hi,

You can follow above steps..

Check this. You can just remove the component as it can't be configured for use anywhere on the SEP client itself. This all needs to be done from the SEPM (which you don't use so no need to worry about this)

How to disable Application and Device Control on an Unmanaged client

Article:TECH165012

|

Created: 2011-07-19

|

Updated: 2011-07-20

|

Article URL http://www.symantec.com/docs/TECH165012

 

autorun.inf calls some exe, in your case patch exe. I may suggest you to run the exe , you may edit the autorun.inf to know the name of the exe file.

Hi All

Thanks for your assistance. You have all now provided sufficant information for me to proceed to disable Application and Device Control.

Your collective advice and guidance is greatly appreciated.

Many thanks to you all.

Hecanuck

 

Application and Device Control has now been diabled.

I restarted the system after making the suggested changes.

Got the following SEP message after restarting the system

... Traffic has been blocked from the application scvhost.exe ...

Do I now have yet another issue?

Thanks,

Hecanuck 

This from the NTP component. You can check your traffic log to see exactly what was blocked. You can also disable this notification if you click on Option next to NTP and go to Change Settings. Than click on the Notifications tab and de-select Display Instrusion Prevention Notifications.

It is probably legit traffic so you may need to add an exception but you'll need to check the log to verify.

This article should help:

Traffic has been blocked for the application host process for Windows Services Svchost.exe

Article:TECH165942

|

Created: 2011-07-29

|

Updated: 2012-07-28

|

Article URL http://www.symantec.com/docs/TECH165942

 

Hi Brian81:

Thanks for the recomendation, it has addressed the issue ... interesting to note that the log indicated it was blocking outbound traffic rather than incoming.

Thanks again for your assistance.

Cheers,

Hecanuck

 

Log Msg was

10/02/2013 1:12:05 PM Blocked 10 Outgoing UDP FF02:0:0:0:0:0:0:C 33-33-00-00-00-0C 1900 FE80:0:0:0:D87A:CF0A:F413:995E B4-74-9F-E0-FC-62 59713  Tony Tony-PC_2 Default 18 10/02/2013 1:11:04 PM 10/02/2013 1:11:59 PM Block_all 
 

It is blocking UPnP Discovery packets. They use UDP protocol over port 1900, which is what is going on there. More info here on UPnP:

http://en.wikipedia.org/wiki/Universal_Plug_and_Play

Probably best to leave as is.

Hopefully, you're good to go. Please mark the thread as solved for the post that helped the most if so. Thanks!

Brian81:

Just a clarification

'probably better to leave as is' ... do you mean I should enable rather than disable (select Display Instrusion Prevention Notifications)

Thanks,

Hecanuck

If you disable notifications it is possible you may miss something serious. Personally i disable but i always review my logs. It's really your call on how you want to handle. If you disable, just keep a close eye on your logs

Hi Brian:

As I mentioned earlier I'm not an SEP expert by any means in fact far from it. I would however consider myself an application power user (MS Office, SPSS (stats package) being the main applications).

I read the wikipedia page you referenced. As I understand it, the UPnD protocol basically looks for any hardware connected to the system currently my home office environment connectivity looks like this (see attached). The only other devices that I might attach from time to time would be my BB smartphone, BB playbook and various USB keys (which BTW I always scan before using).

If you could help me understand the potential risks by turning off the notification it would be appreciated since I would have no idea how to interpret logs ... it would be like giving a engineering drawing to a philosopher ... who might pontificate but have no idea as to its true meaning ... smile

Thanks again for your assistance it is truly appreciated.

Hecanuck

 

Basically, UPnP allows for device discovery on a network so by blocking this you won't be able to find other devices to share data with. In my opinion the logs tell the complete pictures. If you turn off notifications you're at risk of missing a legitimate threat. Chances are SEP is doing its job by blocking the threat so normally you should be fine if you disable. If you review your logs though you should be Ok if you turn this off.

Brian, I understand the concept now but was wondering what a 'legitimate threat' might or could be ... a few threat examples, would I think, help clarify things for me.

Cheers,

Hecanuck

One threat may be outgoing traffic on a non-standard port which could be part of a botnet.

Thanks for the example Brian.

Cheers,

Hecanuck