Endpoint Protection

I have two Windows 7 machines and Homegroup has been working.  On one machine, I just uninstalled another product and installed SEP.  Now I cannot access the Homegroup host and a pop-up keeps coming up that traffic is being blocked.  What do I need to configure in SEP to use the Homegroup?

Thanks,

Chris

Open the Traffic log and see what is being blocked. If you can post the log here or the line about what is being blocked.

You will need to add a firewall rule to allow traffic but you'll need to determine what is being blocked first.

Can you please provide us the screenshot of the error you are receiving?

Hello,

From your description, it sounds like the SEP firewall may be blocking the network traffic necessary for Homegroup to function. Please add an new firewall rule (at the top of the ruleset) which allows all traffic as a test. Does this resolve the issue?

If it does, this is evidence that SEP is indeed blocking the traffic. Go ahead and remove the Allow All rule you created (it was just for troubleshooting purposes and shouldn't be left there) and then add some more rules to allow the ports and protocols Microsoft mentions as necessary for Homegroups to function as specified here: http://technet.microsoft.com/en-us/library/ee617166%28v=ws.10%29.aspx (Scroll down to Firewall Settings.)

James

Hi,

Please share screen shot, So that we can help you.

go to control pannel

select symantec endpoint

select modify

remove network threat protection

reboot

you should be able to access

Hi

What are the components installed in SEP client.

Regards

This isn't really the best solution, since it doesn't address the problem (firewall rules which don't allow the necessary traffic) and, instead, just removes the firewall altogether.

James

A firewall rule just needs to be created to allow this traffic. But first, we need to see the log to determine what rules need to be built to allow this.

Hey all,

Thank you all for your replys.  I'm really confused now.  Today, I can connect to the Homegroup, but the traffic log shows that some of the traffic is being blocked.  I've uploaded the log as exported from SEP and a couple screen shots of the left and right side of the log window.  The lines with the Remote MAC starting with 70 are my Homegroup PC.  I've also attached a screen shot of my firewall rules.

The message that keeps poping up every couple minutes says "Traffic has been blocked from this application: svchost.exe"

Chris

Attachment(s)

Traffic Log.txt   221 KB 1 version

Hello,

Can you run a quick test for me?

What happens when you disable the following firewall rules (i.e., uncheck them) temporarily? Does that allow Homegroup to work?

1. Block UPnP Discovery

2. Block IPv6 over IPv4 (Teredo) Remote UDP port 3544

Do you recognize the IP address 239.255.255.250?

James

Hi James,

The Homegroup started working again today without making any changes, but I disabled the above rules to see what that would do to the message popping up.  Homegroup still works, but I'm still getting the message. 

No, I don't recognize that IP.

Chris

Hi Chris,

Thanks for the update.

I looked through the traffic logs you provided some more and the reason you were seeing those blocks for C:\Windows\System32\svchost.exe was because it was sending outbound UDP traffic to IP address 239.255.255.250 and the rule "Block UPnP Discovery" was blocking it.

Go ahead and re-enable the two rules that were previously disabled.

At this point, we're left with the question why svchost.exe is trying to reach out to that IP address. Let's see what we can do.

Can you please open the Command Prompt, run the following command, and attach screenshots of the output?

tasklist /svc /fi "imagename eq svchost.exe"

James

Hi James,

Here's the tasklist screenshot.  One thing I just thought of is that I'm using MS's Family Safety to filter the kids' account.  I don't know what kind of protocol it uses, but it's still filtering properly on their account.

Chris

Hi Chris,

Thanks for the reply. I don't see anything out of the ordinary in that screenshot, but sometimes it can be hard to be sure.

I'd like to get a Loadpoint Analysis from your computer to see if I see any suspicious processes or files. It's a bit of stretch, but I'd rather be safe than sorry.

1. Download SymHelp here: http://www.symantec.com/docs/TECH170752
2. Run the utility and accept the EULA
3. Remove the checkmarks from all products except for Symantec Endpoint Protection
4. Put a checkmark in “Full data collection for support” and click "Symantec Load Point Analysis"
5. Make sure that "Collect SEP data for a Symantec Support case" is checkmarked and click Scan
6. When the loadpoing scan finishes, save the report and attach it here.

This log will show me running processes and files on your computer so I can review them to see if any of them appear suspicious/malicious to me.

James

Edit: Updated Loadpoint collection steps.

James,

Here's the report.  The report didn't list and files and with the exception of a whole bunch of svchost entries, nothing looks out of the ordinary to me.

Thanks,

Chris

Attachment(s)

Report.zip   2.48 MB 1 version

Hope this help

Is the Notification comming on Vista or Windows 7 machines? If yes, follow the steps below:

1. Turn off the iphelper service, set to manual. This stops the warning dialog from popping up.

2. Open the Network and Sharing Center, click "Change adapter settings", select the adapter being used, right-click and select "Properties".
Uncheck the box next to "Internet Protocol Version 6 (TCP/IPv6)".
IPv6 is on by default in Vista/Win7.

3. Restart machine.

Ashish,

It's a Win 7 machine.  If I disable IPv6, won't that disable Homegroup?

Chris

You are quite right IPv6 is required to be enabled in order to even create homegroup. From a microsoft forum:

Homegroup replies on the followin configuration for it to work properly:

- IPv6 must be enabled
- ***** the Time / Date MUST be in sync *****
- Homegroup Services have to be running
- File Sharing must be enabled
- Computers MUST be on the same Subnet.

Hi Chris,

Thanks for sending me that log file. I agree, after reviewing that log, I'm not seeing anything suspicious either.

It's very possible that the UPnP traffic you're seeing is normal, expected, and legitimate. Without knowing exactly what is generating that traffic, I can't weigh in intelligently on whether you should be blocking that or not.

I'm afraid there's not a whole more I can do for you at this point. If your Homegroup is working as expected with those Block rules enabled, I would suggest leaving them enabled unless you need to disable to enable some sort of functionality which they are inhibiting.

James

Hi James,

Thanks for your help and the review of the logs.  Yea, the important thing is that the Home group is working.  I'll just ignore that message as well (I have a USB message due to a bad internal web cam).

Chris