Endpoint Protection

 View Only

  • 1.  Unkown traffic

    Posted Aug 13, 2018 08:56 PM

    Hi

    I am having difficulties with an java application in the browser. When I disable smantec, the application works. I have disabled the intrusion protection for browsers and removed the final block all rule. I seem to get the application to work with these two components disabled. I get quite a bit of blocked traffic from localhost 0.0.0.0 to remotehost 0.0.0.0 over port 0. I am not certain if this is simply broadcast traffic. Please see below example. the ethernet type is sometimes different. From the client, I also see some the below associated with cisco MAC addresses 01-00-0C-CC-CC-CC.

     

     

    Client Affected
    Computer Name    
    Current:    AirPro
    When event occurred:    AirPro
    IP Address    
    Current:    192.168.2.41
    When event occurred:    0.0.0.0
    User Name:    adear
    Location Name:    Default
    Domain Name:    Republic
    Group Name:    My Company\Airpo
    Server Name:    RB-SEPM
    Site Name:    Site RB-SEPM


    Risk Detected
    Event Time:    08/13/2018 16:18:08
    Begin Time:    08/13/2018 16:17:54
    End Time:    08/13/2018 16:17:54
    Number:    1
    Event Type:    Ethernet packet
    Severity:    Info and above
    Action:    Blocked
    Application Name:    
    Network Protocol:    ETHERNET [type=267]
    Traffic Direction:    Inbound
    Remote IP:    0.0.0.0
    Remote Host Name:    
    Alert:    0
    Local Port:    0
    Remote Port:    0
    Rule Name:    Block all other traffic and don't log

    Any insight is greatly appreciated.

    Thanks.

    corey 

     



  • 2.  RE: Unkown traffic

    Posted Aug 13, 2018 08:59 PM

    Are you sure this is the correct log entry? Normally, it would show the application name and port/protocol that is blocked.



  • 3.  RE: Unkown traffic

    Posted Sep 01, 2018 02:42 PM

    Hi Brian,

    This was taken directly from SEPM. The log in the SEP client looks similar. with the 0.0.0.0 entries. The only thing i could do was allow traffic based on ethernet type via particular MAC addresses from Hosts. I do not like this option as I believe it opens the system more. But I am really not certain what could be causing the application not to work as I don´t seem to have supporting logs to determine what is being blocked. Further, the intrusion protection block for browsers has a log detections but do not block option which does not seem to work. I don´t see anything being blocked but the application works when I disable the option altogether.

     

     

    Corey.



  • 4.  RE: Unkown traffic
    Best Answer

    Posted Sep 01, 2018 02:46 PM

    Hi All,

    It turned out that there is also an intrusion protection feature via Application Hardening. I removed the Application Hardening feature and was able to use the Java application.

     

    Corey.