Endpoint Protection

I am using Endpoint Protection 11.0.6000.550 in an unmanaged environment.

The Network Threat Protection Log does not identify some of the applications that are initiating network traffic.  I have used other resources to identify the applications responsible for this traffic and used this information to construct a firewall rule to allow the application to use the appropriate ports to access the needed IPs.

This rule will not allow this traffic through the firewall with the application identified.  I must use the "All Applications" option to get the firewall to allow use of these ports to access the needed IPs.  This opens traffic through the firewall for all applications.  It appears that the reason the log does not show the application is because it is not detected as the application initiating the traffic and therefore it is also not detected by the firewall rule and then the firewall engine works through the rule set to block the traffic at the end.  Has anyone experienced this problem?  Thanks for your help.  

What i have observed is you get more functionality when it comes to policy when we do it from the SEPM. Can you try

1. Make this client managed and create the rule form the SEPM

OR

2. Create a rule in the SEPM and manually export on the client

It might not be just one file but it would be some dll and sys files aswell that are behind this application that is initiating this traffic.

Thanks for the speedy replies.

Prachand,

I have only 3 clients to manage, and the Client environment offers all the functionality I need at this time to manage these limited number of clients.  Thanks for your help.

Vikram Kumar,
 
You are correct in you suspicion that it is more than 1 file.   Below please find a few outgoing Log file entries.  These are blocked because I cannot construct a firewall rule identifying the application or Windows component initiating the traffic.
 
Action:                  Blocked
Traffic:                  Outgoing
Protocol:              TCP
Destination:        microsoft.com [207.46.232.182]
Remote Port:      80
Application:
Firewall Rule:     X  All Other IP Traffic
(The Application field is blank)
               
Action:                  Blocked
Traffic:                  Outgoing
Protocol:              TCP
Destination:        microsoft.com [207.46.197.32]
Remote Port:      80
Application:
Firewall Rule:     X  All Other IP Traffic
 
Action:                  Allowed
Traffic:                  Outgoing
Protocol:              TCP
Destination:        software.gfi.com [64.239.246.15]
Remote Port:      80
Application:
Firewall Rule:     O  LANguard GFI Software Update Check
(This rule must allow all applications through the firewall in order for LANguard to check for updates, the application Languard9.exe is not identified as the application initiating this traffic.)
 
Action:                  Blocked
Traffic:                  Outgoing
Protocol:              TCP
Destination:        ardownload.adobe.com [96.17.75.90]
Remote Port:      80
Application:
Firewall Rule:     X  All Other IP Traffic      
 
Action:                  Blocked
Traffic:                  Outgoing
Protocol:              TCP
Destination:        ardownload.adobe.com [96.17.75.137]
Remote Port:      80
Application:
Firewall Rule:     X  All Other IP Traffic
 
Action:                  Allowed
Traffic:                  Outgoing
Protocol:              TCP
Destination:        software.gfi.com [64.239.246.15]
Remote Port:      80
Application:
Firewall Rule:     O  LANguard GFI Software Update Check
(Again, the rule that allows this traffic must allow all applications through the firewall in order for LANguard to check for updates, the application Languard9.exe is not identified as the application initiating this traffic.)
 
The above firewall rule should restrict traffic to only the application LANguard9.exe.  The rule must be configured to allow all applications to access this IP in order for LANguard9.exe to access this IP.
 
Network Threat Protection also does not identify the Windows component used by Microsoft’s latest method of Windows validation.
 
Thanks again for your help.

Netstat - o -a ?

Make the Client in Client Control Mode. Then check the logs on the Client and also check the "View Network Activity"
Then in NTP-Settings -Select

Allow only Application traffic -Prompt before allowing...
you do this by installing Unmanaged client aswell..
Once the application and rule is streamlined you can switch the client to Server Control Mode.

Jason1222,

NetStat does not show the applications or components initiating the network traffic. Thanks for you input.

Vikram Kumar,

The LANguard traffic is allowed by the firewall rule but the traffic is not picked up by the View Network Activity Monitor.

I configured the Allow only Application traffic and the Prompt before allowing.  Disabled the firewall rule that allows all applications and the NTP still did not recognize that this traffic was from an application.  There was no prompt to make a choice and the traffic was block by the last rule in the rule set which blocks all traffic not previously addressed in the rule set.  Again thanks for your help.

Does Languard install any IE/Browser Add-Ons.
In that case it would be the add-On that would initiate download

Check In IE--Internet Options - Programs -Manage Add-Ons

Vikram,

LANguard does not use IE add-ons.  The user interface is a windows client using the .Net framework.  I have used SysInternals TCPView.exe to confirm that the application initiating the traffic is the LANguard.exe.  The problem seems to be that SEP NTP is not recognizing the traffic as being initiated by LANGuard.exe.  This behavor is not exclusive to the LANguard.exe traffic.  This problem also exist in the case of Microsoft traffic.  Thanks so much for your efforts.    

Updated to SEP 11 MU6a Version 11.0.6006.562 with no correction of SEP NTP not recognizing the application initiating network traffic.

HI, I am also trying to configure the firewall policy at the SEPM . The rule I've set is to block outgoing 25 only. I've used the default policy and add this rule but proved futile: I can telnet port 25. Another way I've tried is to disable all and enable this rule only. This time it works except that all my internet and network browsing failed. It seems to be a all or nothing situation.

 

I blocked using TCP/UDP ports as well as SMTP service.

 

Hope anyone can help.