Endpoint Protection

 View Only
Expand all | Collapse all

Windows update and SEP firewall

  • 1.  Windows update and SEP firewall

    Posted Mar 15, 2013 02:27 PM

    Windows udate is being blocked in our test group for our new firewall policies. I haev created a host group and placed the various MS domains for updates in that and made sure to allow all applications to those sites. (I did also include an akami domain that i see them using.) 

    Any ideas? I still see svchost.exe being blocked when I try and run MS update on the host.

    Anyone else have any luck with this?

     

     



  • 2.  RE: Windows update and SEP firewall

    Posted Mar 15, 2013 02:31 PM

    MS has a bunch of domains so it is possible your missing one and the connection attempt is being blocked. What port is it giong out over, you can open port 80 and 443



  • 3.  RE: Windows update and SEP firewall

    Posted Mar 15, 2013 02:35 PM

    It does. I noticed on their site the list that they have for updates. I set a wildcard for them, as in *.microsoft.com, *.microsoftupdate.com, etc. Could that be the issue? Shoudl I put in the domains explicitly?

    I would prefer not to open svchost.exe wide open to ports 80 and 443, as malware can hijack that service quite easily.I woudl rather white list the locations that it can go to. 



  • 4.  RE: Windows update and SEP firewall

    Posted Mar 15, 2013 02:39 PM

    If you don't want to open port 80/443 for all traffic than add the domains like you mentioned above



  • 5.  RE: Windows update and SEP firewall

    Posted Mar 15, 2013 02:42 PM

    Open sepm firewall policy

    under protection and stealth

     

    if you have "enable os finger print masquerading" checked.

     

    Please unched that.

     



  • 6.  RE: Windows update and SEP firewall

    Trusted Advisor
    Posted Mar 15, 2013 02:46 PM

    Hello,

    It would be helpful to know what version of SEP you're using, what's installed (SEPM? SEP client?), but more importantly, what the exact error is that you are seeing. smiley

    Check these Threads:

    https://www-secure.symantec.com/connect/forums/sep-blocking-windows-update

    https://www-secure.symantec.com/connect/forums/cwindowssystem32svchostexe

    Secondly, check these Articles:

    Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"

    http://www.symantec.com/docs/TECH164391

    Symantec Endpoint Protection 12.1: Blocked System Change Events produce unexpected messages

    http://www.symantec.com/docs/TECH161646

    Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

    https://www-secure.symantec.com/connect/articles/creating-dns-or-host-file-change-exception-symantec-endpoint-protection-manager-121-ru1-mp1

    Hope that helps!!



  • 7.  RE: Windows update and SEP firewall

    Posted Mar 15, 2013 03:09 PM

    we do not have OS masquerading enabled.

    it is client 12.1.x

    I can see that it is blocking the svchost.exe in the traffic logs. It nly shows the IP address beign blocked and not the domain. For others, i see the domain and the IP being blocked.



  • 8.  RE: Windows update and SEP firewall

    Posted Mar 15, 2013 03:15 PM

    Windows Update uses svchost.exe for updating

    I would suggest putting in the domain names if you know them. Otherwise, you open port 80/443 but it sounds like you don't want that nor would I suggest allowing traffic from svchost.exe as malware likes to use this name quite a bit. You can however specify by file fingerprint in the SEPM but I'm not sure how fine grained you want to be.



  • 9.  RE: Windows update and SEP firewall

    Posted Mar 15, 2013 03:39 PM

    got it!

    thank you everyoen for your help.

    THere is a more comprehensive list of the domains here: http://forums.isaserver.org/m_2002033740/mpage_1/key_/tm.htm#2002033740

    funy think is, that I have wildcards set up for a lot of things like *.microsoft.com, but until I added in the subdomains like *.download.microsoft.com it was not working.



  • 10.  RE: Windows update and SEP firewall

    Posted Mar 15, 2013 03:48 PM

    so here is a more comprehensive list of domains needed.

    http://forums.isaserver.org/m_2002033740/mpage_1/key_/tm.htm#2002033740

    Funny thing is that I had *.microsoft.com, etc. and it did not work. as soon as I added *.update.microsoft.com and teh other subdomains like that it started working.