Endpoint Protection

Hi.

I'm probably being a numpty here - only just getting used to the network threat protection in SEP - it's currently in test.....

To test the blocking of appliations I created a copy of the default firewall policy and applied it to my test group - I then created a block rule (above the blue line) which should block Lotus notes on the network and Internet Explorer....I used these because they're used all the time....

So I specified the applications from the learned applications list....I'm pretty sure i've covered all the ltous notes components - and I chose IE from the learned list too....all show file fingerprint and location....but, it hasn't worked...not a sausage...no network blocking, and my test group can use notes and IE as normal....

what gives? here's a screenshot of the test firewall policy....the rule is rule no.7 - this is aplied to my test group for both locations

I had used this policy before to 'Ask' for traffic going out, that seemed to work, I did that by changing rules no.10 and 13 to 'Ask' instead of 'Allow'

but what if I want to block the application from running on the network but not stop it entirely.

can you tell me what is the point of the application bit on the firewall if it's not for this purpose?

to me the rule is saying that xxx appplicaion cannot communicate on the network using the specified ports at the specified times etc....

if this wasn't supposed to be used like this then there wouldn't be a default rule saying 'any application' - allowed etc.

thanks

You can block the application traffic using firewall..so that your IE will open but won't connect to any website etc..

yeah that's what I'm sort of trying to accomplish - would you say the rule in my screenshot should do that? if so, any ideas why it's not working?

I guess I should've been clearer in my first post - i'm not trying to stop the application from running, jsut stop it on the network....

 as you have selected the option to write to traffic or packet log what does the logs reflect?

Since we can't really see your rule - only the generic descriptions, we can't see the specific application you have setup and how, it's hard to say. How about skipping hashes, etc and just do a block of anyting in that folder from getting out - don't name specific files, and don't specify beyond just the file name. FORGET signatures in your initial testing, save that for later, the fine-tuning.
Block   c:\program files\this app\*.exe  and leave it at that, for example. No fingerprint or signature.
I defined TCP/IP ports of 80 and 443 and it works blocking IE from certain sites. Iv'e even blocked WMP from certain sites so they can't shop and download music online but CAN listen to or view training materials via WMP - so I know it works..........

 I created a firewall policy for application and just manually entered iexplore.exe
updated the policy and iexplore stopped browsing
becuase my computer was in Server Control Mode
I switched it to Client Control mode and it started working with the same policies as in Client Control local firewall policies take over

So make sure your Clients are in Server Control mode.

holy cr @p - I never even saw that - would've taken me years to spot a forward slash - I didn't put a forward slah, it did that by default when i selected the app..... let me try changing that right now, If I don't reply in 5 minutes it's because i've blocked IE from working lol

thanks.

Your slashes are wrong. it should be c:\
It's stupid, but I bet it will work if you change them:)

They should have fixed this bug by now :)

BJohn - give me a big slobbery kiss......that worked a treat....

I'd have never ever seen that....I looked at the rule for the best part of the yesterday and I never even noticed the forward slashes.....this is really sloppy work Symantec... it's not even a variable I entered, I just selected the file..

and for anyone elses information - when I was chaning the slashes around, I changed the description slahes, but these were supposed to have a forward slash for them files, so even the description field in the application rule has to match exactly....which is fine I guess, but just look out for that too.......

thanks again BJohn - thought I was going bonkers as to why this wasn't working - this now works as intended

How to Block Applications using Application and Device Control Policy.

Prerequisites:

1.      The Application and Device Control Policies do not work on 64-bit client computers.

2.       Make sure you have Network Threat protection on the 32 bit client end.

3.       After  the policy is been assigned to the group, we need to restart the Client End machine for the  policy to be in effect.

So, here is how we go about creating an application blocking policy.

1.

2.

3.

4.

NOTE: After  the policy is been assigned to the group, we need to restart the Client End machine for the  policy to be in effect.

I think you're getting the wrong end of the stick......this isn't what I asked how to do......

Bjohn had the correct answer