Endpoint Protection

Hello.

I have a problem with SEP blocking my Cisco web camera driver.

The driver is called ndiscdp.sys, its in system32/drivers directory on Win XP.

I added a rule to this file, but anytime I run the Cisco aplication the notificaton says the driver has been blocked.

Viewing the logs I can read that it runs on Ethernet protocol, and its beeing blocked by "black all" rule. Camera is pluged using USB, but it cooperates with Cisco IP telephone via Ethernet cable.

The aplication is not beeing blocked when I turn off the "Network Threat Protection".

How to enable this driver to be not blocked without turnout the above module.

Thanks.

Create a allow rule for this driver(Application) and keep it above block all rule and try.Are you using managed client or unmanaged client.If it is managed client it has to be done in SEPM,also has to keep it in server control mode.If it is unmaged client you can do it in the client itself...

Looks like you have Unmanaged SEP client installed,

Can you confirm the version of SEP you have it installed 11.0.xxxx.xxxx ??

Make sure you have installed the latest version.

I`m using 11.0.6 version.

I dont know where I can find "block all" rule.

How exactly I have to make my new rule?

Thanks.

It's under the firewall policy in SEPM.

Whether your clients are managed by SEPM or it is self managed?If it is self managed,Open client GUI go to Status--->Network Threat Protection-->options--->Configure firewall rule.Here you can find the current rules in use.Here yu can find the option for adding a rule as well.Always remember to keep newly created rule to keep up since the priority of the rule will fully depend up on this order.

I`m using unmanaged client.

Adding a new rule doesnt work. Either switching off the "block all" one.

Only disabling the "Network Threat Protection" helps.

Any other tips?

Once you disable the block all rule does it still block your Cam ? If yes then what does the logs show ?

Under "Add a Firewall Rule", what settings did you use to configure the new rule?

Here is my screen from SEP logs:

http://eskel.pl/p1/1.jpg

I think I have to add a rule to ETHERNET protocol (earlier I was selecting different protocol).

I will try tomorrow.

And disabling "block all" rule means to uncheck it on the list?

Even if I removed 2 that rules (blocking IPV4 and IPV6), SEP was still blocking the driver under "block all" name. Why?

In the above image when you scroll the bar to the far right what rule name does it show ?

"block all"

So it looks block all rule is still there..

Create a rule to allow the driver and the ethernet protocol type=0x2000 and also for the Mac address shown

then move this rule to the top of the list ..make it no.1

@ Vikram,

In my unmanaged client, I do not see the option for ethernet protocol type=0x2000. Looks as though there is no support for Cisco Protocols?