Video Screencast Help

Symantec Endpoint Protection blocks traffic from firefox.exe

Created: 12 Apr 2009 • Updated: 21 May 2010 | 9 comments

Yesterday I did Live Update of my Symantec Endpoint Protection 11.x, after that SEP starts blocking my firefox traffic. I am getting an prompt that "Traffic has been blocked from this application: (firefox.exe). I find below log in Network Threat Protection > Traffic Log

4/12/2009 9:31:07 PM Blocked 10 Outgoing TCP en-gb.start2.mozilla.com [209.85.227.99] 00-90-D0-03-84-5C 80 192.168.1.72 00-1E-68-54-E0-90 52661 C:\Program Files\Mozilla Firefox\firefox.exe Anand Anand-PC Default 3 4/12/2009 9:30:05 PM 4/12/2009 9:30:16 PM GUI%GUICONFIG#SRULE@APPCONFIG-TCP#C:\Program Files\Mozilla Firefox\firefox.exe 

I tried disabling Network Threat Protection and firefox works fine.

My Network Threat Protection definitions:- Friday, March 13,2009 r1

Could please tell why SEP blocks my firefox?

Thanks,

Anand

Comments 9 CommentsJump to latest comment

SAM_SHAIKH's picture

Hi Anand,

I think u might be having some policy to block any files which tries to connect to Internet, hence firefox is getting block. You can exculde firefox.exe from NTP.

Rrgds,
SAM

Farzad's picture
Firefox has some addins which connect to internet automatically and some of them are a kind of hacking tools or barware, or some work abnormally and cause to raise a spyware or backdoor Trojan.
Be come sure about the addins.

By the way there are only two reasons for the issue:

1- a rule in NTP
2- the Firefox malfunctioning

ESET Certified Specialist \ Symantec Certified Specialist  \  MCSE +Security  \  CCNSE

Anand Prabhu's picture

I tried even without any Add-ons, still same problem. Firefox version is also latest one 3.0.8

Now for time being i have set rules in Network Threat Protection > Application Settings to allow Firefox.exe and it works fine.

Thanks for all your help

Farzad's picture

Anand,

Enable the NTP on a sample client and after it blocked the firefox, check the logs to figure out what kind of attacks it detects the firefox is causing.

Inform us of the report, it can be a good research!

ESET Certified Specialist \ Symantec Certified Specialist  \  MCSE +Security  \  CCNSE

mon_raralio's picture

It shouldn't do that. I have SEP and Firefox works well. Although I don't have any add-ins installed.

“Your most unhappy customers are your greatest source of learning.”

Sandeep Cheema's picture

The best approach would be to log all the rules and launch the application again.
Once it's blcoked, Take a look at the logs and see what rule(s) are blocking it.
Create a counter rule exactly the same with the application as firefox.exe but with the action as allow and move it to the top.
 

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

Paul Mapacpac's picture

Hi, Is this the same case with IE? I think it uses the same port with firefox. Please review your current firewall policies.

mon_raralio's picture

Try disabling NTP again, running firefox and running netstat in command prompt or get a gui version so you could see other the ports used at that time and to which IP they're connecting.

“Your most unhappy customers are your greatest source of learning.”

Paul Mapacpac's picture

Hi when I try to do a look up on the IP address, (209.85.227.99) the address belongs to Google, I guess you just need to add this on exceptions.