SEP 12.1 RU2 and Windows Homegroup
Created: 19 Feb 2013 | Updated: 27 Feb 2013 | 20 comments
This issue has been solved. See solution.
I have two Windows 7 machines and Homegroup has been working. On one machine, I just uninstalled another product and installed SEP. Now I cannot access the Homegroup host and a pop-up keeps coming up that traffic is being blocked. What do I need to configure in SEP to use the Homegroup?
Thanks,
Chris
Discussion Filed Under:
Comments 20 Comments • Jump to latest comment
Open the Traffic log and see what is being blocked. If you can post the log here or the line about what is being blocked.
You will need to add a firewall rule to allow traffic but you'll need to determine what is being blocked first.
SEP Knowledge Base
Endpoint SWAT
Can you please provide us the screenshot of the error you are receiving?
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Hello,
From your description, it sounds like the SEP firewall may be blocking the network traffic necessary for Homegroup to function. Please add an new firewall rule (at the top of the ruleset) which allows all traffic as a test. Does this resolve the issue?
If it does, this is evidence that SEP is indeed blocking the traffic. Go ahead and remove the Allow All rule you created (it was just for troubleshooting purposes and shouldn't be left there) and then add some more rules to allow the ports and protocols Microsoft mentions as necessary for Homegroups to function as specified here: http://technet.microsoft.com/en-us/library/ee61716... (Scroll down to Firewall Settings.)
James
The Symantec Endpoint Protection Knowledgebase
Please remember to mark the post which resolved your issue as the solution!
Hi,
Please share screen shot, So that we can help you.
Thank& Regards,
Ambesh
Please mark your thread as 'SOLVED' with the answer that helps you.
go to control pannel
select symantec endpoint
select modify
remove network threat protection
reboot
you should be able to access
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
This isn't really the best solution, since it doesn't address the problem (firewall rules which don't allow the necessary traffic) and, instead, just removes the firewall altogether.
James
The Symantec Endpoint Protection Knowledgebase
Please remember to mark the post which resolved your issue as the solution!
Hi
What are the components installed in SEP client.
Regards
A firewall rule just needs to be created to allow this traffic. But first, we need to see the log to determine what rules need to be built to allow this.
SEP Knowledge Base
Endpoint SWAT
Hey all,
Thank you all for your replys. I'm really confused now. Today, I can connect to the Homegroup, but the traffic log shows that some of the traffic is being blocked. I've uploaded the log as exported from SEP and a couple screen shots of the left and right side of the log window. The lines with the Remote MAC starting with 70 are my Homegroup PC. I've also attached a screen shot of my firewall rules.
The message that keeps poping up every couple minutes says "Traffic has been blocked from this application: svchost.exe"
Chris
Hello,
Can you run a quick test for me?
What happens when you disable the following firewall rules (i.e., uncheck them) temporarily? Does that allow Homegroup to work?
1. Block UPnP Discovery
2. Block IPv6 over IPv4 (Teredo) Remote UDP port 3544
Do you recognize the IP address 239.255.255.250?
James
The Symantec Endpoint Protection Knowledgebase
Please remember to mark the post which resolved your issue as the solution!
Hi James,
The Homegroup started working again today without making any changes, but I disabled the above rules to see what that would do to the message popping up. Homegroup still works, but I'm still getting the message.
No, I don't recognize that IP.
Chris
Hi Chris,
Thanks for the update.
I looked through the traffic logs you provided some more and the reason you were seeing those blocks for C:\Windows\System32\svchost.exe was because it was sending outbound UDP traffic to IP address 239.255.255.250 and the rule "Block UPnP Discovery" was blocking it.
Go ahead and re-enable the two rules that were previously disabled.
At this point, we're left with the question why svchost.exe is trying to reach out to that IP address. Let's see what we can do.
Can you please open the Command Prompt, run the following command, and attach screenshots of the output?
tasklist /svc /fi "imagename eq svchost.exe"
James
The Symantec Endpoint Protection Knowledgebase
Please remember to mark the post which resolved your issue as the solution!
Hi James,
Here's the tasklist screenshot. One thing I just thought of is that I'm using MS's Family Safety to filter the kids' account. I don't know what kind of protocol it uses, but it's still filtering properly on their account.
Chris
Hi Chris,
Thanks for the reply. I don't see anything out of the ordinary in that screenshot, but sometimes it can be hard to be sure.
I'd like to get a Loadpoint Analysis from your computer to see if I see any suspicious processes or files. It's a bit of stretch, but I'd rather be safe than sorry.
1. Download SymHelp here: http://www.symantec.com/docs/TECH170752
2. Run the utility and accept the EULA
3. Remove the checkmarks from all products except for Symantec Endpoint Protection
4. Put a checkmark in “Full data collection for support” and click "Symantec Load Point Analysis"
5. Make sure that "Collect SEP data for a Symantec Support case" is checkmarked and click Scan
6. When the loadpoing scan finishes, save the report and attach it here.
This log will show me running processes and files on your computer so I can review them to see if any of them appear suspicious/malicious to me.
James
Edit: Updated Loadpoint collection steps.
The Symantec Endpoint Protection Knowledgebase
Please remember to mark the post which resolved your issue as the solution!
James,
Here's the report. The report didn't list and files and with the exception of a whole bunch of svchost entries, nothing looks out of the ordinary to me.
Thanks,
Chris
Hi Chris,
Thanks for sending me that log file. I agree, after reviewing that log, I'm not seeing anything suspicious either.
It's very possible that the UPnP traffic you're seeing is normal, expected, and legitimate. Without knowing exactly what is generating that traffic, I can't weigh in intelligently on whether you should be blocking that or not.
I'm afraid there's not a whole more I can do for you at this point. If your Homegroup is working as expected with those Block rules enabled, I would suggest leaving them enabled unless you need to disable to enable some sort of functionality which they are inhibiting.
James
The Symantec Endpoint Protection Knowledgebase
Please remember to mark the post which resolved your issue as the solution!
Hi James,
Thanks for your help and the review of the logs. Yea, the important thing is that the Home group is working. I'll just ignore that message as well (I have a USB message due to a bad internal web cam).
Chris
Hope this help
Is the Notification comming on Vista or Windows 7 machines? If yes, follow the steps below:
1. Turn off the iphelper service, set to manual. This stops the warning dialog from popping up.
2. Open the Network and Sharing Center, click "Change adapter settings", select the adapter being used, right-click and select "Properties".
Uncheck the box next to "Internet Protocol Version 6 (TCP/IPv6)".
IPv6 is on by default in Vista/Win7.
3. Restart machine.
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Ashish,
It's a Win 7 machine. If I disable IPv6, won't that disable Homegroup?
Chris
You are quite right IPv6 is required to be enabled in order to even create homegroup. From a microsoft forum:
Homegroup replies on the followin configuration for it to work properly:
- IPv6 must be enabled
- ***** the Time / Date MUST be in sync *****
- Homegroup Services have to be running
- File Sharing must be enabled
- Computers MUST be on the same Subnet.
Would you like to reply?
Login or Register to post your comment.