Endpoint Protection

Hi,
Recently we disabled ActiveX on the Juniper firewall due to security policy requirement. Subsequently we found that the liveupdate was unsuccessful due to this.

Is there a way to update without enabling ActiveX on the firewall?

Thanks for any help on this.

dont know how active x on firewall is blocking updates, check this document make sure you have allowed
www.symantec.com
ftp.symantec.com

How to determine whether your firewall is blocking LiveUpdate

http://service1.symantec.com/SUPPORT/sharedtech.nsf/d3c44a1678bd8f45852566aa005902cb/c0aeb869920b38b688256d980074e389?OpenDocument&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=10.0&src=ent&pcode=sav_ce&dtype=corp&svy=&prev=&miniver=sav_ce_10

did you try that document?

Attached is the screen shot of where ActiveX components were blocked. Ports should be working as currently it is updating if the block is not enabled. Thanks.

Tried. ActiveX was detected and blocked from from 124.155.222.41:80.

I don't believe it is activeX .There is something problem with your firewall/firewall rule (I am not a firewall expert but i can tell this much).....

if you check activex ; does the liveupdate work?
how do u run liveupdate? 
start - run -luall.exe ?
or sepm- admin - serves - run liveupdate?
above two will run on your acccount; 
create  a schedule and check if that downloads defs. ( system account) 

No kidding, it took us weeks to find out the ActiveX blocking was the causing the failure.
No rules were changed at all. Believe !

Please see my reply to your questions:

if you check activex ; does the liveupdate work?
No. This is the problem that I am highlighting.

We have tried scheduled and manual updates, both does not work when ActiveX content is blocked on the firewall.
The current ruleset is ok, as we can do the update when ActiveX blocking is Disabled.

Thanks.

 

Anyone can help on this?
It would not such an issue but we are required to block ActiveX content.

Is there a way to do auto updating without the need for ActiveX ?

I am pretty confident that Liveupdate has nothing to do with ActiveX at all.
It will use http but will then fall back to ftp if it can't connect.

Are you talking about liveupdate administrator?
Or liveupdate on the SEPM server?
Or liveupdate on a SEP client?

I would be going over your firewall rules to work out exactly what is going on.

Liveupdate on the SEPM tries the following:

HOSTS\0\ACCESS2=http://liveupdate.symantecliveupdate.com
HOSTS\0\TYPE=HTTP

HOSTS\1\ACCESS2=http://liveupdate.symantec.com
HOSTS\1\TYPE=HTTP

HOSTS\2\ACCESS2=ftp://update.symantec.com/opt/content/onramp
HOSTS\2\TYPE=FTP

Can you whitelist the following three addresses on the firewall and see if updates resume even if the ActiveX blocking is enabled?

http://liveupdate.symantecliveupdate.com
http://liveupdate.symantec.com
ftp://update.symantec.com

I'm referring to LU for SEPM. The rules are ok as it works now. Problem is when activex is blocked in the screening options.
Thanks for the suggestions, will look into it when possible Please don't doubt me as it took me weeks to find out what caused the failed updates   To confirm it, I tried the link  http://liveupdate.symantecliveupdate.com/livetri.zip sent by Rafeeq. When the activex blocking was enabled, I got someone to test the link from the server and I saw this log: ActiveX was detected and blocked from from 124.155.222.41:80. Disabled the activex block, and the download link worked.

Exactly how is the firewall blocking Active-X content - what is it looking at to do this?
I suspect the rule is generic enough that something about LU is LOOKING LIKE active-x content to the rule.
Seriously, LU will even use FTP if HTTP doesn't work, and nothing about FTP is active-x, so there's something else happening in that rule.
I'd like to know how the rule determines what is active-x.
Have you run something like Wireshark to see what's in the packets being blocked?

I'm not sure how the blocking works. It's not rule based, basically you can select to block activex content in the options. I did a screenshot in my earlier post. Don't think ftp is currently permitted, can't have unsecured ftp and programs like wireshark on the server.I understand it's not a bug, just wondering if there's a workaround to it other than using ftp. Thanks.

I think it is better to take this issue to your firewall manufacturer.. 

>>Don't think ftp is currently permitted, can't have unsecured ftp <<

That would mean an FTP service running on the server so someone could FTP *IN*, not meaning something can't FTP out like LU.
True, you don't want unwanted services running, and FTP service running on a server is a risk unless very well secured, but that refers to FTP itself being on the server waiting for an incoming connection. The admin rules won't be referring to SEP FTPing out to get LU updates.
At least in any corporation or agency I've ever worked for.................
The firewall probably does need to allow outbound FTP, but I've never seen security folks balk at that really, as it can be locked down so that only one specific service from one specific location on a specific server is allowed through.

Yes i do agree. The other issue is that ftp becomes the single point of failure if http does not work. As usual, there is always a check and balance when tightening security.

Saw this in the reference guide:
NOTE: When ActiveX-blocking is enabled, the security device blocks Java applets, .exe
files, and .zip files whether or not they are contained within an ActiveX control.