Endpoint Protection

Hi All.

I'm wondering if anyone else has experienced this.

I've set up some rules by application and network adapter. Basically ping.exe is blocked through all adapters in one rule. Then in another rule that comes before this ping.exe is allowed through the VPN adapter only. Ping.exe is used for testing purposes as part of a larger project which allows us to see if our rules are working. Ie we want certain business apps to work through the VPN only and to not leak anything outside of the VPN.

About 99.999% of the time ping is blocked as it should be when the VPN is not active. However, every now and then a ping gets through!  We have no idea why because no adjustments are being made to the FW at that time.

Does anyone know why this happens? It seems like the SEP NTP firewall is failing once in every many many thousand ping attempts.  Our concern is that this might be a leak, rendering the VPN compromised.

Side note:

SEP V12.1.671.4971 upgraded from V11.??. Windows 7. OpenVPN client integrated with VPN providers solution.

In the logs it indicates that whilst ping.exe sends the request ntoskrnl.exe does the receiving as per a different rule that I presume comes preset in SEP as we did not set it.  Ie rule triggered by ping outbound is our ping.exe rule and rule triggered on return is called "Allow ping reply". This rule is not listed in the FW config so it might be to do with the way an app that sends data is allowed to receive data back.

are you testing these rules from SEPM or on the client?

same kind of rule?

http://www.symantec.com/business/support/index?page=content&id=TECH104295

Using " * " or "Any" as "Application" when creating firewall rules in Symantec Endpoint Protection 11.0

Hi Rafeeq, thanks for your quick response. Forgot to note that it is happening from the client on a machine with an unmanaged client on it.

I will read the link shortly and answer your question on that one.

Regards

Is this an unmanaged or managed client?

Is ping the only thing you're working with here? Would need to test as well by writing some rules. I'm also on 12.1 RU2, your version looks to be the first instance of 12.1.

You can also do a packet capture with wireshark as well to see what's going on.

Hi Brian, this is an unmanaged client. 

For testing purposes chrome is also included in the list but as it happens so rarely we have not seen it happen with Chrome.

As an example out of 12404 ping attempts this morning 2 got through, 1 had a request time out and the other 12k+ had general failure (ie were blocked as they should have been).

I will look into wireshark, interesting idea. I'm not too knowledgable on the packet level but will see if I can get any clues.

You know, if a human only made 2 mistakes out of 12k tries I'm be impressed but for some reason I expect more from my security software! :)

Hi Rafeeq.

The rules we're working with are specific to one or 2 exe's and there are no * or "Any" in there. To my understanding of your linked article it is quite different.