Endpoint Protection

We've been testing the new Small Business Edition with SEP 12.0. I'm new to Symantec's products so ive been playing around a bit. I created a rule to block internet explorer, and placed it at the top of the firewalls rules list. However, if i specify the application as "C:\Program Files\Internet Explorer\iexplore.exe", then the rule is not triggered when internet explorer is run, even though i am launching it directly out of that folder. I HAVE to specify the application as "iexplore.exe" for it to block IE. The real problem is with Mozilla Firefox. Neither "firefox.exe" or "C:\Program Files\Mozilla Firefox\firefox.exe" seem to trigger the rule and everything is allowed to pass through the firewall. I was wondering if anyone else has seen this, or can maybe point out the mistake I am making? I don't mind the full path being left out, as i think that is a smarter approach anyways (prevents someone from moving the exe and launching it elsewhere), but i thought I would try both incase the path was required.

Try using the MD5 to block the application.
Our discussion here: https://www-secure.symantec.com/connect/forums/ultrasurf
contains instructions by RickJDS to better block any application from running. SEP would need to "learn" the application first.

Thanks for the suggestion but I'm not sure that I can use it. I should meantion I am using the SPC to administrate the firewall policies, and as a result I am not sure that I can set up application rules like that (learned applications). In the SEP firewall clients I can see the application setting list, but its 2 methods for how to have applications added to the list do not work. In the networking settings, I cannot right click on an application and add it to the list and I have never seen it ask to allow or block an application. 

I'd like to add that even if I could use that method, using that method seems a little bit tedious considering the MD5 changes whenever an application is updated. Its enough work for me to occasionally update the computers applications themselves, nevermind having to update the firewall rules for each application after it has been updated. It also seems maybe more suited to an environment where the admin is genuinely concerned about users re-naming applications, and that isn't much a concern of mine. It would be much easier for me to be able to say block application "firefox.exe" and it actually work on "firefox.exe".

 Honestly I am far from expert on SEP 12. I am learning the same as you are, but from my understanding SEP 12 only incorporates PTP (Proactive Threat Protection) and anti virus protection. The SEP firewall lies in the realm of NTP (Network Threat Protection) which to the best of my knowledge SEP 12 does not have. So when you say you are creating a firewall rule to block firefox.exe it doesn't make sense to me. Also even if you were using SEP 11 which has NTP and a firewall, you would not use the firewall  block executables from launching. The firewall only blocks the .exe from reaching the Internet, not launching locally. What you are describing is called application and device control. Application and device control blocks certain applications from running and can even block certain devices (such as USB sticks) from working on your computer. Application and device control requires NTP so is obviously not a part of SEP 12. Hopefully I am not misunderstanding your post and if I am please try to clarify it for me. Thanks

Grant

Am I the only one wondering what's SEP 12? I thought current latest version was 11? 

Version 12 is the small business version.
https://www-secure.symantec.com/connect/security/forums/endpoint-protection-small-business

Marketing at work....
Supposedly it's a dumbed down version of SEP 11.

Sorry for the confusion. To clarify, I am trying to prevent the application from reaching the internet, and not the launching of the application period.

As for SEP 12.0 not including NTP, here is a screen shot that shows a client that has SEP12 and it has Network Threat Prevention on it. The firewalls are managed by the Symantec Protection Center (SPC) though, so no firewall rules aren't actually configured on the client itself, but from the SPC.


Also, I decided to play around with different versions of Firefox. One machine with Firefox not updated (it showed as version 1.9.0.3188 in the Network Activity screen but forgot to check inside firefox itself) was allowing everything through to the internet from Firefox, whereas another machine with version 1.9.0.3399 (most up to date) was actually successfully blocking it. When I updated the older version of Firefox to the newer version, it also started successfully blocking it. I'm not sure if you want to consider this solved but if so that is fine by me at the moment. If not, I might be able to go back to the older version to do some more testing but I am not sure on that.

Ok myself and another tech here have just spent some time on a test box that has SEP 12 installed on it. It appears that either the full path or simply the application name will work for creating the rules. I am looking into getting myself a copy of SEP 12 so I can do further testing for you, but as of now I am not sure why 1) the full path for IE did not work and 2) why neither the full path or the application name worked for the older version of firefox. I will post back after doing some more research on the topic. I am glad you were successful blocking firefox for now. Lets not called this thread solved yet, but wait until we get a good idea why it wasn't being blocked in the first place.

Thanks
Grant

Thanks for looking into it.
It doesn't appear I can go back to the older version of Firefox. As an update, I did test to see whether or not with the newer version i can specify the full path (C:\Program Files\Mozilla\Firefox.exe) and that also seems to work for blocking firefox now. Just did a test on Internet Explorer again though and the full path still does not work, only "iexplore.exe". The version of IE that I am using for the tests today is version 7.0.5730.13. If there are any screenshots or other information I can provide you that might help you out, let me know.

No Need, everything you provided so far is great. Sorry it is taking me a while to get SEP SBE up and running on the laptop I am currently using. I will be on soon and will let you know what I find. Just wanted to let you know I hadn't forgotten about you. 
Cheers
Grant