There was a supposed fix in 12.1.5 (I'm on 12.1.6)...
Fix ID: 3208344 Firewall incorrectly reports Link-local Multicast Name Resolution (LLMNR) response as a port scan Symptom: The Symantec Endpoint Protection client firewall incorrectly detects multiple Link-local Multicast Name Resolution (LLMNR) response packets as a port scan attack. Solution: Added UDP remote port 5355 to the firewall rule Allow LLMNR from private IP addresses to prevent the firewall from detecting this as an attack.
I've spent several days now going back and forth with Enterprise support on this to no avail. Since the above "fix" obviously wasn't working for me, I've think I've figured it out (at least for our scenario)...
Updated SEPM 12.1.4a to 12.1.6mp4, then began updating Win 7 Pro 64 bit clients from 12.1.4013.4013 to 12.1.6867.6400
Noticed SOME of the updated clients 12.1.6867.6400 began popping Port Attacks and doing Block All on local lan ip addresses including SEPM server. The most troubling part of all of this to me is that only 2 of the initial 5 upgraded stations exhibited this behavior, yet all were identically configured Optiplex 9020's and all were being fed the same policies (Clients completely locked down and Client User Interface Control Settings: Server mode).
Previous clients 12.1.1013.4013 in same group (same policies) that hadn't been upraded yet weren't exhibiting this behavior.
---
Problem Client 1 - Did an uninstall / clean wipe, did a client install from "12.1.6mp4 full download" of SEPx64 folder. Installed as unmanaged client, default settings (disable Defender), installed successfully, launched LiveUpdate by itself, completed updates, asked to restart. Restarted. Popups of port attacks from LAN began immediately. I rolled that client back to 12.1.4013.4013 and the problems ceased.
I don't have an explanation for why this client didn't work after fresh unmanaged install, perhaps the default unmanaged client rules are broken as well. I've read on another thread someone having a similar problem with an unmanaged client and the "fix" from Symantec was to go into the firewall rules on the client and make some trivial change like renaming a rule, and then saving. I did not try this before rolling this station back so I can't verify this.
---
Problem Client 2 - I created a duplicate group in SEPM, moved that client to that group, duped the firewall policy from existing group. I discovered that when I changed in SEPM -> Client User Interface Control Settings: Server to EITHER Client or Mixed mode the problem went away! As soon as I set back to Server mode and update policy, the blocking immediately began again. This points to something wrong with the SEPM's default firewall rule for "LLMNR from".
I set the mode back to Server and began experimenting with the SEPM firewall rules for that client. I changed the rule from "None" to "Write" so I could see when it was being applied, it wasn't. Here's what finally made it work for me, I deleted all of the private IP Ranges and added a new IP Subnet for our network, on client I right clicked "Update Policy", then it worked. So it appears that either something is broken with the IP Range field in that rule OR making this change triggered a sync of the SEPM rules to the client.
I had made dozens of changes and policy updates of the SEPM firewall rules prior to switching the field from IP Range to IP Subnet, so if just changing something trivial was the answer, the problem would have resolved much earlier. So this leads me to lean towards my "broken IP Range field" theory.
Hope this helps someone.