Endpoint Protection

 View Only

  • 1.  liveupdate -firewall

    Posted Jun 19, 2016 11:01 AM
      |   view attached

    Hi I would ask about specific situation .I use SEP Firewall as individual firewall for my user station.

    For my issue I notice SEP do some connection .for  liveupdate.symantecliveupdate.com several time .I don't allow him to connect .But SEP do this.And logs not show my this connection .Why it is doing and where I can stop it.Please advanced users about advice.

    SEP put it here

    C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.6867.6400.105\Data\Lue\Downloads

    sepc$20submission$20control$20data_12.1$20ru6_symalllanguages_livetri

     

     

    Attachment is on bottom.

     

     

     

    Attachment(s)

    txt
    1.txt   2 KB 1 version


  • 2.  RE: liveupdate -firewall

    Posted Jun 20, 2016 11:12 AM

    Is this a managed or unmanaged client?

    On the SEPM, in your LiveUpdate policy, is the client configured to go out to Symantec for updates?

    Did you create a rule to block it and is it set to log to the Traffic log?



  • 3.  RE: liveupdate -firewall

    Posted Jun 20, 2016 11:57 AM

    I've tested this before, and believe that the SEP FW includes undocumented in-built exclusions for LiveUpdate and SEP Heartbeats.  Essentially, even a policy with a signle rule to block everything, will still be able to initiate a LiveUpdate to grab defs, and check into a SEPM (if a managed client).

    The only way to block it is to either stop SepLiveUpdate.exe from running, or use a different FW to block it.



  • 4.  RE: liveupdate -firewall

    Posted Jun 20, 2016 12:04 PM

    It defintely does for heartbeats, it's impossible to use the SEP firewall to block 8014. Would be interested if the same was true for LU.



  • 5.  RE: liveupdate -firewall

    Posted Jun 21, 2016 09:27 AM


    My SEP is self-managed individual station only for my Windows.I create myself rules.I can't stopped it.



  • 6.  RE: liveupdate -firewall

    Posted Jun 21, 2016 09:53 AM

    See the below articles:

     

    How to determine whether your firewall is blocking LiveUpdate

     

    no matter what you do SEP client will try to download the livetri file to see if its able to fetch the updates from symantec live updates servers. The only possible way out I could think of is to export a unmanaged package from your SEPM and set the live update policy to only take updates from SEPM, this might prevent the client from checking for livetri files from internet, but then when you do wish to update the client you have to update it only with a intelligent updater file.



  • 7.  RE: liveupdate -firewall

    Posted Jun 21, 2016 10:04 AM

    It appears that this is hard-coded into the client to explicitly allow access to LiveUpdate even if you try to block it with the SEP firewall.



  • 8.  RE: liveupdate -firewall

    Posted Jun 21, 2016 11:32 AM

    Hi ikolor,

    Please don't block SEP as it attempts to contact the online LiveUpdate servers.  This is necessary to keep your protection up-to-date.

    With thanks and best regards,

    Mick



  • 9.  RE: liveupdate -firewall
    Best Answer

    Posted Jun 23, 2016 05:09 AM

    As I mentioned earlier, the SEP client includes inbuilt, undocumented rules to allow LiveUpdate and Client heartbeats.  If you want to block LiveUpdate you're going to have to:

    • block SepLiveUpdate.exe from running, or
    • use another FW (e.g. Windows FW) to block it.

    Obviously, doing so is not recommended as this stops the client from updating, but there you go.