Endpoint Protection

Are there known issues/limitations with use of SEP 12.1.6 MP6 on a WIndows 10 x64 system using Hyper-V?

As a test this is a clean OOTB install of SEP -- no custom policy added at this point.

As an example, I have a Hyper-V version 2 guest running Ubuntu 16.10. That VM is configured to use BRIDGED networking but with SEP active I'm seeing traffic from the vms blocked, the only blocking events I can really see in the log at this time are

22/11/2016 12:46:10    Blocked    10    Outgoing    ETHERNET [type=0x88CC]    0.0.0.0    01-80-C2-00-00-0E    0    0.0.0.0    6C-88-14-CC-57-A8    0    C:\WINDOWS\system32\drivers\mslldp.sys    jones    DESKTOP-2V27KS0    Default    1    22/11/2016 12:46:10    22/11/2016 12:46:10    Default rule    

This looks like traffic from the hyper-v virtual adapter outbound (I was doing an apt-get update; apt-get install in the guest)

The "local MAC" is my host systems hyper-v ethernet adapter - "Hyper-V Virtual Ethernet Adapter #2" - this is the one connected to my local network. I can't see what the other MAC is . I don't recognize it from "ipconfig /all" or "arp -a" on the host, nor "arp -a" in the guest.

I am though unsure if this log entry is even relevant -- but apart from this I just see a couple of blocked ICMP packets from my router at the time of my guest networking request

I should add that the guest also has a "host only" adapter to communicate to the host only... ie for ssh/admin .. and this works fine.

I'm unclear if I can define a suitable rule that doesn't comprimise the integrity of the host whilst allowing traffic for the guest. 

Furthermore, I've also experimented with "docker for windows". This makes use of the new "NAT" support in Hyper-V, but this also had issues with SEP installed

All seems to work fine with Windows firewall only.....

I did previously have windows containers installed too, but having read in the release notes there was some issue here too I removed that feature (I don't need it, unlike base hyper-v)

What a) works b) doesn't work c) is an unknown around Windows 10, Hyper-V ?
Does SEP 14 improve on this at all?

Seems there is an issue that Symantec is investigating:

http://www.symantec.com/docs/TECH228599

...not sure I can say the workaround is ideal though.

I've not found anything the 14 release notes to indicate this has been corrected.

Ah, thanks for that link, I had toyed with doing as it described in fact - but it feels uncomfortable going from "default block" to "default allow" for network traffic - one is left wondering if using Windows firewall would be more secure...

It would be good to get an update from symantec 

In the interim, it may be best to remove the SEP firewall only and use the remaining features to ensure protection. And enable the Windows firewall.

You can subscribe to that KB article and will be notified via email when it is updated.

I tried the suggestion given, however I'm still seeing an issue which may be the same, or could be different.

Today I left the office. SEP was active, I was connected to a corporate network via ethernet and to the SEPM server.

I came home, connected via ethernet. I believe (but can't be certain) that network connectivity worked briefly, then stopped. Pings, dns resolution, tcp connections etc all fail. The traffic log seems to indicate the outbound requests were Allowed (to DNS,. and the final server), that nothing untoward was blocked, yet there's no connectivity

If I "disable SEP" from the system try all connectivity immediately returns. I can then re-enable it and connectivity continues ok.....

After disable/renable, whilst connectivity resumes, it lasts for perhaps 10 minutes then fails again.