Video Screencast Help

Windows update and SEP firewall

Created: 15 Mar 2013 | 9 comments

Windows udate is being blocked in our test group for our new firewall policies. I haev created a host group and placed the various MS domains for updates in that and made sure to allow all applications to those sites. (I did also include an akami domain that i see them using.) 

Any ideas? I still see svchost.exe being blocked when I try and run MS update on the host.

Anyone else have any luck with this?

 

 

Operating Systems:

Comments 9 CommentsJump to latest comment

_Brian's picture

MS has a bunch of domains so it is possible your missing one and the connection attempt is being blocked. What port is it giong out over, you can open port 80 and 443

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mtju's picture

It does. I noticed on their site the list that they have for updates. I set a wildcard for them, as in *.microsoft.com, *.microsoftupdate.com, etc. Could that be the issue? Shoudl I put in the domains explicitly?

I would prefer not to open svchost.exe wide open to ports 80 and 443, as malware can hijack that service quite easily.I woudl rather white list the locations that it can go to. 

_Brian's picture

If you don't want to open port 80/443 for all traffic than add the domains like you mentioned above

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Open sepm firewall policy

under protection and stealth

 

if you have "enable os finger print masquerading" checked.

 

Please unched that.

 

Mithun Sanghavi's picture

Hello,

It would be helpful to know what version of SEP you're using, what's installed (SEPM? SEP client?), but more importantly, what the exact error is that you are seeing. smiley

Check these Threads:

https://www-secure.symantec.com/connect/forums/sep-blocking-windows-update

https://www-secure.symantec.com/connect/forums/cwindowssystem32svchostexe

Secondly, check these Articles:

Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"

http://www.symantec.com/docs/TECH164391

Symantec Endpoint Protection 12.1: Blocked System Change Events produce unexpected messages

http://www.symantec.com/docs/TECH161646

Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

https://www-secure.symantec.com/connect/articles/creating-dns-or-host-file-change-exception-symantec-endpoint-protection-manager-121-ru1-mp1

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

mtju's picture

we do not have OS masquerading enabled.

it is client 12.1.x

I can see that it is blocking the svchost.exe in the traffic logs. It nly shows the IP address beign blocked and not the domain. For others, i see the domain and the IP being blocked.

_Brian's picture

Windows Update uses svchost.exe for updating

I would suggest putting in the domain names if you know them. Otherwise, you open port 80/443 but it sounds like you don't want that nor would I suggest allowing traffic from svchost.exe as malware likes to use this name quite a bit. You can however specify by file fingerprint in the SEPM but I'm not sure how fine grained you want to be.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

mtju's picture

got it!

thank you everyoen for your help.

THere is a more comprehensive list of the domains here: http://forums.isaserver.org/m_2002033740/mpage_1/key_/tm.htm#2002033740

funy think is, that I have wildcards set up for a lot of things like *.microsoft.com, but until I added in the subdomains like *.download.microsoft.com it was not working.

mtju's picture

so here is a more comprehensive list of domains needed.

http://forums.isaserver.org/m_2002033740/mpage_1/k...

Funny thing is that I had *.microsoft.com, etc. and it did not work. as soon as I added *.update.microsoft.com and teh other subdomains like that it started working.