Endpoint Protection

 View Only
Expand all | Collapse all

SEP11 6100 no NTP disables Windows firewall

  • 1.  SEP11 6100 no NTP disables Windows firewall

    Posted Oct 20, 2010 01:33 PM

    I'm installing SEP11 6100 client with AV only via an exported setup file from the management server.  However, on Win 7 x64, the built in firewall gets taken over and managed by SEP anyway even though I did not install NTP.  I receive a message on the machine that the firewall is turned off but the security center says its managed by SEP.  This did not happen in previous versions like 6005.  It seems 6100 punts the windows firewall no matter if NTP is installed or not.



  • 2.  RE: SEP11 6100 no NTP disables Windows firewall

    Posted Oct 20, 2010 04:33 PM

    See this thread that has a solution that may apply to you - https://www-secure.symantec.com/connect/forums/use-windows-firewall-64-bit-workstations



  • 3.  RE: SEP11 6100 no NTP disables Windows firewall

    Posted Oct 20, 2010 06:12 PM

    Hi Gerbster,

    I would try performing the following test:

    -Create a test group in SEPM

    -Once you have it created, select it

    -Select Policies on the right hand side at the top

    -Uncheck the inherit option

    -A little below, select the Firewall policy and withdraw it

    -Add one of the machines experiencing this problem to that group

    -Give it 10-15 minutes, or however long your heartbeat is set for the client to check in and update

    -Check the windows firewall to see if its working as you intended

    If so, this is an issue that is currently under investigation. I do not have much detail to give as its in the early stages. To pursue this, I would recommend giving our support a call and reference the document TECH140897. This is an internal document that has some information the technician can use to gather evidence to help with the research.



  • 4.  RE: SEP11 6100 no NTP disables Windows firewall

    Posted Oct 21, 2010 12:19 AM

    Look like a bug.Try by starting the windows firewall manually.Anyway it is better to open a case with Symantec.So that they can do more investigation.I had seen this problem in some other threads also.



  • 5.  RE: SEP11 6100 no NTP disables Windows firewall

    Posted Oct 21, 2010 09:46 AM

    I am experiencing this also.

    We just updated 700 of our clients to ru6mp1 this week and it disables the firewall WITHOUT ntp installed.   Control panel >system security> windows firewall : says "these settings are being managed by vendor application Symantec Endpoint Protection"

     

    I found this thread while on hold with support. so will point them to the tech doc listed above.



  • 6.  RE: SEP11 6100 no NTP disables Windows firewall

    Posted Oct 27, 2010 04:44 PM

    [See below for correction...]

    I can confirm that withdrawing the Firewall policy from the group solves the problem.

    So, to summarize...the problem appears to be that if a Firewall policy is applied to a given group, installing the 64-bit client (built with that group's policies) will take over and disable the Windows Firewall no matter what, even if the Network Threat Protection module is not part of the client installation.

    In our case, withdrawing the Firewall policy isn't a big deal because it was only there for testing purposes, but others who have a mix of clients (some using NTP, some not) in the same group may need to segment those clients in order to take advantage of this workaround.

    Correction: While withdrawing the firewall policy solves the problem with the Windows Firewall being disabled when the SEP client is installed, it is only a temporary fix.  It appears that as soon as the SEP client makes its first contact with the SEPM server, the Windows Firewall is disabled again.

    I've even tried withdrawing the Intrusion Prevention and the Application and Device Control policies (both of which, I believe, also rely on the NTP engine), but the SEP client still takes over management of the Windows Firewall as soon as it establishes communcation with the SEPM server.

    I apologize for the premature celebration...



  • 7.  RE: SEP11 6100 no NTP disables Windows firewall

    Posted Oct 28, 2010 04:13 PM

    I just spent a rather baffling 15 minutes on the phone with a senior technician in India who tried to convince me that the product was behaving as designed.  Yes, he tried to make the case that when you are installing the SEP client without Network Threat Protection on Windows 7 x64, it is supposed to take control of and disable the Windows Firewall.

    At first I thought it was a misunderstanding because of the language barrier, but that wasn't the case.  He really was insisting that no bug report needed to be filed because their security product was specifically designed to leave 64-bit clients wide open to the outside world.

    After being transferred to a supervisor, however, they quickly acknowledged the bug and said that it would be fixed in RU6 MP2, which is "a month or two away."

    The only workaround they proposed is to reenable the Windows Firewall via GPO, which won't work in our particular situation.

    Time to back-rev to RU6a...



  • 8.  RE: SEP11 6100 no NTP disables Windows firewall

    Posted Oct 28, 2010 04:19 PM

    Hey grettir,

    I am curious as to how that supervisor knew the fix was in MP2. As of right now, we do not yet have a full understanding of the problem. You happen to have a case number or anything for that call? Feel free to PM me if you'd prefer.



  • 9.  RE: SEP11 6100 no NTP disables Windows firewall

    Posted Oct 28, 2010 05:16 PM

    I just checked on the tracking information for this, we are still investigating the policy to see what the cause of this issue is. As of right now I unfortunately do not have any further details.



  • 10.  RE: SEP11 6100 no NTP disables Windows firewall

    Posted Nov 05, 2010 02:36 PM

    Update:

    I believe we have identified the root cause on this. At this point in time it appears the issue was introduced with RU6, the current target is to have a fix for this issue in RU7. I am unsure when RU7 will hit, I would expect early next year as RU6 MP2 is going to come at the end of this year but that is just a guess.

    Please note this information is subject to change and is by no means a definite, it is just the information that we are currently going with.



  • 11.  RE: SEP11 6100 no NTP disables Windows firewall

    Posted Nov 08, 2010 01:46 PM

    In the meantime, is there any sort of workaround, or are all 64-bit clients stuck with RU6a until the new year?



  • 12.  RE: SEP11 6100 no NTP disables Windows firewall

    Posted Nov 08, 2010 02:25 PM

    Hi grettir,

    Unfortunately I don't see any workaround available on this just yet.