Video Screencast Help

NTP Possible Firewall Leak

Created: 15 Nov 2012 | 5 comments

Hi All.

I'm wondering if anyone else has experienced this.

I've set up some rules by application and network adapter. Basically ping.exe is blocked through all adapters in one rule. Then in another rule that comes before this ping.exe is allowed through the VPN adapter only. Ping.exe is used for testing purposes as part of a larger project which allows us to see if our rules are working. Ie we want certain business apps to work through the VPN only and to not leak anything outside of the VPN.

About 99.999% of the time ping is blocked as it should be when the VPN is not active. However, every now and then a ping gets through!  We have no idea why because no adjustments are being made to the FW at that time.

Does anyone know why this happens? It seems like the SEP NTP firewall is failing once in every many many thousand ping attempts.  Our concern is that this might be a leak, rendering the VPN compromised.

Side note:

SEP V12.1.671.4971 upgraded from V11.??. Windows 7. OpenVPN client integrated with VPN providers solution.

In the logs it indicates that whilst ping.exe sends the request ntoskrnl.exe does the receiving as per a different rule that I presume comes preset in SEP as we did not set it.  Ie rule triggered by ping outbound is our ping.exe rule and rule triggered on return is called "Allow ping reply". This rule is not listed in the FW config so it might be to do with the way an app that sends data is allowed to receive data back.

Comments 5 CommentsJump to latest comment

Rafeeq's picture

are you testing these rules from SEPM or on the client?

same kind of rule?

Using " * " or "Any" as "Application" when creating firewall rules in Symantec Endpoint Protection 11.0

PVEndpoint's picture

Hi Rafeeq, thanks for your quick response. Forgot to note that it is happening from the client on a machine with an unmanaged client on it.

I will read the link shortly and answer your question on that one.


PVEndpoint's picture

Hi Rafeeq.

The rules we're working with are specific to one or 2 exe's and there are no * or "Any" in there. To my understanding of your linked article it is quite different.

ᗺrian's picture

Is this an unmanaged or managed client?

Is ping the only thing you're working with here? Would need to test as well by writing some rules. I'm also on 12.1 RU2, your version looks to be the first instance of 12.1.

You can also do a packet capture with wireshark as well to see what's going on.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

PVEndpoint's picture

Hi Brian, this is an unmanaged client. 

For testing purposes chrome is also included in the list but as it happens so rarely we have not seen it happen with Chrome.

As an example out of 12404 ping attempts this morning 2 got through, 1 had a request time out and the other 12k+ had general failure (ie were blocked as they should have been).

I will look into wireshark, interesting idea. I'm not too knowledgable on the packet level but will see if I can get any clues.

You know, if a human only made 2 mistakes out of 12k tries I'm be impressed but for some reason I expect more from my security software! :)