Endpoint Protection

 View Only

  • 1.  SMC and SNAC firewall rules

    Posted Dec 08, 2016 12:13 PM

    We recently read an article about ransomeware and one of the recommendations was to make sure you take good quality backups but also secure the backup server in a way that nothing can communicate to the machine outside of specific fireware rules.  we have turned off all the firewall rules with the exception of a few.  the backup software for one but the symantec firewall rules as well.

    My quesiton is, can any of these 4 rules be disabled. If not, can someone explain or link me to an explicaiton of their purpose. 

    While we have no issue with them being enabled, we just want to get an idea of why. (we just like to know the nitty gritty of things.  we are weird like that)

    The frewall rules are as follows: 

    SMC Service - Private - allow for all TCP - Program - ccSvcHst.exe

    --the second rule is similar, but allow for all UDP

    SNAC Service - Private - allow for all TCP - Program - snac64.exe

    --the second rule is similar, but all for all UDP

    Thank you for any responces.

     

    Ian



  • 2.  RE: SMC and SNAC firewall rules

    Posted Dec 08, 2016 12:33 PM

    These are not default rules, were they created specifically for these two processes? Allowing these processes is recommended.



  • 3.  RE: SMC and SNAC firewall rules

    Posted Dec 08, 2016 02:48 PM

     

    They seem to be on all the servers i sampled. i did not look at all of the servers as i have a large amount.  i can not recall why we would have made any specific firewall rules based on these two .exes and for the tcp and udp ports.

     

    it seems to also be on the desktops. so i feel like these have to be added in some way shape or form.  we do have custom policies for desktops and servers (custom meaning not just different settings per the desktop or server policies, but also meaning we did not use the default policy created after installed SEPM, but a new policy,)

     



  • 4.  RE: SMC and SNAC firewall rules

    Posted Dec 08, 2016 02:54 PM

    Do you have a screenshot for clarification?



  • 5.  RE: SMC and SNAC firewall rules

    Posted Dec 08, 2016 03:13 PM

    here are the images and descriptions

     

    av policy - the custom policies we have created

    fw deploy - the firewall rule on our 2012 r2 desktop imaging server

    fw mgmt - the firewall rule on our 2012r2 management server

    (i didnt screen shot 2008r2, but it has the same two rules)

    fw win7 - the firewall rules on a windows 7 ent x64 machine

    fw win19 - the firewall rules on a windows 10 ent x64 machine



  • 6.  RE: SMC and SNAC firewall rules

    Posted Dec 08, 2016 03:25 PM

    I thought these were in the SEP firewall, this is the Windows firewall.

    Either way, these services will need to be allowed to talk to the SEPM (especially SMC for communication and looksups). It may have been that the Windows firewall automatically added these on install.



  • 7.  RE: SMC and SNAC firewall rules

    Posted Dec 08, 2016 03:28 PM

    sorry the thumbnails did not come out as i would have expected.

    the order in which i gave the description is the order of the images.  need to click on them to show the image in full screen



  • 8.  RE: SMC and SNAC firewall rules

    Posted Dec 09, 2016 08:59 AM

    i agree that the windows firewall added them, and i would say that they were added because of the av client install.  either way. that you for the response and i will leave them enabled as is. 

    one more question to take this further, is there a way to limit them to specific port numbers.  in their current form, that are set to any.



  • 9.  RE: SMC and SNAC firewall rules

    Posted Dec 09, 2016 09:04 AM

    The Windows firewall allows process and port specific traffic. I don't mess with it much though so you'll probably have to play around with the rule.