Endpoint Protection Small Business Edition

I have some applications that creates javaw.exe processes. These processes needs to communicate in the network system. It is a small and isolated system (no internet). I have done quite some testing, so a lot of background info below.

Firewall policy using host list cannot be used to allow the applications I want to communicate freely in the network, as the communication is not using TCP or UDP. I have done a lot of testing with the firewall policy, and I cannot ID the application/process by its application name. It (I am only using one during development) will only be allowed if I have a rule allowing javaw.exe applications.

My firewall policy looks like this:

- Allow javaw.exe

- Allow all connections on [Host List = IPv4 addresses of network components]

- Block everything

This works, but gives me a big hole in the firewall. I am trying to adress that with an Application Policy (based on default rule AC1 Block applications from running). That looks like this:

Block Applications from Running. Apply this rule to: *

Do not apply this rule to *symantec* , *Symantec*, *<application name>*

Condition:

Apply to the following processes:  *javaw*

Do not apply to: *ymantec*, *<application name>*

This rule will not only block my application. It will also block SEPM, as it is also a javaw.exe process. When trying to start my application under this policy, I get an error "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item". For SEPM, it will not react at all. At best I've seen a flash of a command window.

So even if I specifically excludes Symantec and my application from the Block Application rule, they are still blocked.

In the case of the SEPM being blocked, have you tried excluding the jp2launcher.exe process? It looks like this is what is calling java.

The reason SEPM cannot be started is that your exclusion in the condition is wrong. There is simply no application where the pattern "*ymantec*" fits. It's part of the argument list, but not of the process name. The process name you have to write in your exclusion for SEPM is javaw.exe as well, but you have to specify it with its arguments. You can see them in the following file:

<SEPM install folder>\bin\sesm.bat

So for SEPM your condition could be something like this:

Apply to the following processes:  javaw.exe

Do not apply to: javaw.exe

In the exclusion form, open the lower half with Options, enable Only match processes with the following arguments, enable Use regular expression matching and insert something like this in the field: 

.*-jar .*scm-ui.jar".*

Explanation:

• This is a small part of the argument list of the SEPM console.
• The regular expression ".*" is similar to the wildcard * (but wildcards are not allowed here)

If your application is also launched by javaw.exe, exclusion may follow the same principle:

.*-jar .*your-application.jar.*

Thanks greg, that worked perfectly!

Question:
Is it one condition per process I want to allow, or can I have multiple processes under "Only match processes with the following arguments"? I.e. do I have one condition for SEPM, and another for my application or can I have both listed under the same condition?

Happy to help you :-)

You can add as many processes as you want in the Do not apply to the following process list of one condition. For example, you can add two exclusions for javaw.exe if they have different argument lists. So you don't need two conditions.

The result should look like this:

I meant if I can have both argument lists in the same exclusion  :)

Makes sense that I cannot.

Thanks a lot both of you. I have been struggling with this for two weeks. Should have gone to the forums right away  :)