Hi everyone!

I'm currently evaluating trialware version of Endpoint Protection Manager (SEPM) with managed client. (SEP)

I have encountered a problem: Client policy update takes no effect. I tried blocking Notepad.exe, in Application and Device control policy (ADC), and blocking a website by domain name in Firewall policy, both takes no effect. I can still launch Notepad.exe and visit the blocked website.

My test environment:
1. Windows XP professional version 32bit with latest service pack and update. Both SEPM and SEP are installed on the very same VirtualBox machine.
 

The VM host runs on Windows 7 64-bit.

I have tried:
1. https://support.symantec.com/en_US/article.TECH105907.html

  a. I believe SEP connected to SEPM, due to: SEP icon shows green dot. Trouble shooting shows "connected". Server name is correct.

  b. My SEPM contains only default group. SEP client resides in "My company\Default group" as expected.

  c. SEPM and SEP shows same policy number. I checked SEPM, in clients-> Default group --> policy serial number. In SEP, I checked trouble shooting dialog, both showing same policy serial number.

  d. %temp%\scm-ui.log and .err. : I can't find obvious error which can be identified based on my limited level of knowledge.

  e. C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\<very long serial> : "Date modified" changed after policy editing as expected.

  f. editing index2.xml in aformentioned directory shows correct policy number, profile.xml contains expected string I entered as policy name (such as "No notepad")

  g. secars test passed. localhost:8014/secars/secars.dll?hello,secar shows "OK".

  h. I've tried regsvr32 msxml3.dll, which said succeed

Additionaly, I also tried:  
 
2. Confirmed ADC and NTP module are activated in add/remove program, in my SEP client.
3. SEPM and SEP are updated. SEPM is updated immediately during installation.
4. Restarted smc, and SEPM service, rebooting computer, all several times.
5. Reinstalled whole virtual machine.
6. Duplicated a VM and install only managed SEP client.
7. Used Symantec help tool
 

 
 
Am I missing something? Thanks in advance, and sorry for my poor English. 

Have you assgin SEPM firewall and ADC policy default group ?

Please verify policy again

https://www-secure.symantec.com/connect/videos/allow-and-block-websites-using-symantec-endpoint-protection-firewall

How to Restrict Users to Specific Web Sites by Creating Firewall Rules for Managed Clients

https://support.symantec.com/en_US/article.TECH95248.html

For both policies, I have right click --> assign, and checked every group.  Few minuted later I confirmed SEPM and SEP shows same policy serial number. However policy still did not take expected effet.
 

Did you set the rule to Production?

Yes I did

A short video for demonstration of problem:

youtu  DOT  be   SLASH   PLxBWWmXf78

please replace dot --> .

slash --> /

and erase all white spaces

Thanks for kind attention!

How are you blocking that web site...should be *.example.com

As your communication seems to be fine, perhaps it's just a glitch in the ADC policy. Check the following:

• The ruleset forbidding notepad is enabled and set to Production
• On rule level, there is an asterisk ("*" without quotation marks) in the process list
• Condition is "Launch process Attempts"
• In the process list of the condition notepad.exe is inserted
• Under actions, "Block access" and "Enable Logging" are enabled; "Notify user" should be enabled as well in your testing environment.

BTW, in the ADC policy is a template ruleset (AC-1) for blocking applications.

Because of redirections, blocking websites by domain name may be a cumbersome business, see this thread:

https://www-secure.symantec.com/connect/forums/allow-or-block-firewall-rule-not-working

HTH!

Just saw your video ... There is more than one notepad.exe on your box, so insert just notepad.exe (that's covering all of them).

In the firewall rule the logging (traffic log) should be enabled.

Another video update, after applying comments from yours and Brians' kind help

youtu DOT be SLASH KKpda9bxBVM

(replace DOT --> .  SLASH --> / and erase whitespaces)

still not working. Completely confused.

In the firewall rule, use DNS domain instead of DNS host.

ADC Policy looks fine ... Try to get an MD5 hash from notepad.exe (use the freeware tool hashcalc.exe or the CLI tool checksum.exe on the SEP client) and paste it as fingerprint in the condition (you have to press Add ... > Options) in addition to "notepad.exe".

#Edit

I would try the ADC policy with another program which is not part of Windows.

Firewall rule worked as expected after using DNS domain instead of DNS host

For ADC. I tried another non-windows-builtin application (Picophone) with hash generated by CheckSum.exe from SEP, still not working

Another thing I tried is make a clean windows 7 VM with just service packs and updates, installed managed client, still has same problem

Thanks.

Firewall rule now works after changing DNS host to DNS domain.

For ADC, I tried blocking a non windows-built in application (PicoPhone)  using hash generated by CheckSum.exe from SEP. Still not work

-- EDIT --

1. I also installed a clean windows 7 32bit VM with only service pack and updated. Installed managed clients, still has same issues.

2. Tried using some default rules, such as "block access to scripts". These policies also takes no effect.

3. I have confirmed that ADC is installed in SEP client in add/remove program. . In SEP client, change settings --> Client management --> Configure settings --> Enable application and device control is also checked. View log --> Client management --> Control log also shows "Application and Device control is ready" message.

Thanks!

Please use below articles

How to use Symantec Endpoint Protection to block or log legitimate but unauthorized software usage

https://support.symantec.com/en_US/article.TECH97618.html

Already did as post said. However not only custom rules, as shown in videos posted in above comments, doesn't work. The bulit-in rules, such as "block access to scripts" has no effect, either.

The issue is solved by checking "Only match process running from the following drive types" (and every subitems) for both rules and conditions. lol

Thanks James007, Brian and greg12 for helping!