Video Screencast Help

Unmanaged SEP client - app firewall rule not working

Created: 09 Nov 2012 | 8 comments

Hi all.

I've spent quite a while trying to work this out but can't seem to crack it. I'm sure it's not that hard, just can't find the answer.

I have SEP V12.1.671.4971 self managed on a windows 7 x64 machine.  I've tried to configure a firewall rule through Network Threat Protection and I can't get it to work. The rule works with the following settings (no applications added):

General tab - block this traffic, all network adapters, either on or off, record in packet log
Hosts - all hosts
ports and protocols - all protocols, both directions
applications - no apps listed
scheduling off

---the above blocks all traffic.

However when I add an application

applications tab - c:\...path\chrome.exe

the rule no longer works. Ie it lets traffic through as it should but does not block chrome.exe.

---

Does anyone know why this might be?

Thanks in anticipation.

Side note:

Is it that the OS is 64 bit? It does not make sense that the app rule would not work because of that but I did see something referring to that somewhere..

The other note I saw was in the SEP 11 known issues doc where it talked about the filter not working with the full path of the exe, rather just the exe name had to be used. However I think this is to do with the selection filter in the client manager. And in any case "just the name" cannot be added in the client firewall configuration form, it only takes the full path because the file is selected not typed in.

 

Comments 8 CommentsJump to latest comment

pete_4u2002's picture

do not add path, just say chrome.exe ( assuming thats teh application name). let know how it goes.

PVEndpoint's picture

Thanks for your quick response Pete.  In the client itself I can't seem to enter just the exe name "chrome.exe". Instead I have to browse to the location and select the file which automatically adds the whole path.

The closest I can get to just the exe is if I'm in C:\ but that just gives the wrong path.

From what I remember reading, I got the impression that entering just the exe name was for when using the manager and the filtered learned list of exe's, but that's a guess as I don't have access to a SEPM.

An image is attached (with part of the path erased).

Thank you

SEPExeFWRule.png
PVEndpoint's picture

Hi Black. Yes that option (allow only application traffic) is there and [was always] checked. The sub item "prompt before ..." is unchecked as per your image.

I wonder if it has something to do with firewall rules overriding application rules.  I have attached an image of all the rules. I can't see a rule there that would override chrome but maybe I'm missing something.

Mcafee site advisor is installed. I read somewhere that certain web browsing protection software redirect traffic and so the firewall does not catch it. Could that be the case?  I tested it with Ping.exe and the ping app does not get blocked either.

Thank you both for your time on this. It has got to be something simple that I'm missing.

SEPAllFWRules.png
PVEndpoint's picture

I really can't see what I might be doing wrong. It seems so simple it should work.

Is there a known issue with unmanaged SEP client V12.1.671.4971 on Windows 7 64 bit machines where FW rules by application don't work?

I've seen the issue where the \ is put in wrongly as / and has to be corrected but this is not a problem in this case.  I've seen mention of only entering the exe name but this is not possible using the SEP client FW rule creator.

PVEndpoint's picture

Is it possible to add firewall rules to an unmanaged client via script? Perhaps then I can try using just the exe name without path.

PVEndpoint's picture

It's still not working though I managed to get just the exe name (chrome.exe, ping.exe) into the rule without the path.

Using smc.exe -importadvrule as per this useful link

http://www.symantec.com/business/support/index?pag...

Allowed me to do that but it still is not blocking traffic.

If I don't specify any application then the traffic gets blocked (in this case it is all prots so all traffic) however as soon as I add the application to apply the rule to it does not work.

 

--

This link talks about application rule issues when the rule is an allow rule with no additional trigger other than the application name. However the rule I'm setting is a deny so should not be affected by this right?

http://www.symantec.com/business/support/index?pag...

In any case I tried blocking the ping app using ICMP protocl and it still did not block it even with that additional trigger.

 

PVEndpoint's picture

Resolved. It seems that the whole path of the application can be used however it did not start working until the day after I enter the rules.  Perhaps it was the hibernation that did it.  I had tried disabling and re-enabling SEP but that did not fix it.  Perhaps SEP client needs a restart if an application is included in the FW rules.

Thanks all for your help.