Endpoint Protection

We are randomly (but frequently) seeing instances (from wireshark trace information) where SEP Network Threat Protection is blocking valid traffic to the network during PC bootup.  When this happens, the WindowsXP devices are not getting their login scripts or group policy applied.  Additionally, startup performance is negatively impacted.

We have worked with Microsoft Premier Support who recommends that we change the following:

The proposed change is:

If you look in your registry at this key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SmcService]

And look specifically at entry:

""Group"="NDIS"

They want us to change the "Group" value from "NDIS" to "NetworkProvider".

Supposedly this will cause the firewall to start after network startup has been processed in the stack as opposed to before the network startup.  We have tested this change and have seen consistently where the "Domain Controller not found" message goes away and startup performance is greatly improved (as well as login scripts and gpo processing occurring normally).

What information can you share about any risks of changing this value ?  For example, we are of the opinion that there may be some risk (but very little)  in delaying the firewall startup for the short duration of about 5-8 seconds that is needed for the network stack to load.

Any thoughts, pros/cons, etc would be appreciated.

Thanks.

This is happening on various hardware models that we support.  All are using Intel NICs.  Also, on any given device sometimes the issue occurs and sometimes it does not (i.e. random).  This is also happening at various geographic locations (not just one office).

So, if NTP cannot be hooked to NDIS - is there any harm in changing the group registry entry as noted above ?

You could also assign:

PNP_TDI to that value and see if it helps. 

You can find a little info on this here.

http://assarbad.net/stuff/pktfilter_inst.txt

Old but still valid.

Go to 

Clients > Policies > Location-Independent Policies and Settings > General Settings > Security Settings.

Is the current setting to 'block all traffic until firewall is started'?

To answer your question, it would be better to apply the changes advised. The product should help protect your system, but first and foremost, it should not interfere with your daily operations, IMHO. :D

Security impact is not that big. Again, IMHO.

I'm not sure if you're using an MS or other vendor for the policy implementation for your network. You may also want to add an 'Allow' policy from the client PC to the server in question if the current firewall policy might prevent that. And lastly, check the startup sequence. File and Print sharing is the usual cause of virus/worm distribution. Confirm that it comes after SEP.

Thanks for the valuable feedback.  I am using the information for building support to move forward with the change.

We have already tested the change and it eliminates the issue 100% of the time.

Perhaps others will find this thread useful should they encounter similar problems.

Thanks again to all.

What arguement did you use to sniff out the traffic to the suspect PCs?

Did you run this app from the SEP server?

Hi

hi

There were many sources of data.  The wireshark utility was run on the backside of the test pc and captured all data.

The Symantec debug log was activated and showed "warning: no dns servers to begin with".

The Windows Netlogon and Userenv logs were also helpful in isolating the issue.

Everything was done from the test pc - nothing from the SEP server.

What happened to the responses that you previously posted ?  I am looking for information that was previously posted and changed to Hi.

Any chance you can repost ?

Thank You.

in sepm policies

under av/as

there is an option to start AP when computer is started ...

make that to when symantec endpoint is started.

check if thats blocking