Good Morning I have a question that has been eating at me for a while now. In our environment we have the ENS Firewall running. Within the Firewall we have two rules, 1 rule that blocks and logs any events and the other rule that just blocks. The blocking rule does not have the Logging enabled and under that we have a list of applications, and executables that we do not want logged.
What I am seeing is when I add a new executable to the application and then push it out to the target systems, I still see the executables listed in the top threats in the last 48 hours. This is waiting an hour or more for the additional items to permeate through the environment. If I review a specific system, I again see the executable listed in the Threat Events tab as a recent detection.
I have tried moving the executable to a new Application inside the ##ENS_Firewall Rule, copying the rule and making a small modification in our test environment to make sure it was not corrupted and the same thing happens. Am I missing something. I do not have full visibility on the managed systems to make sure that the ENS Firewall log is not logging these events.
I hope I have given enough information if not, please let me know.
By default there is a Block all rule which is embedded into the product. It is not advisable that you have such a rule in place especially with logging enabled as the product is not designed to be used as a monitoring tool and further this could cause performance issues on the clients.
If you want to monitor the Firewall installation to tune the settings, a better option would be to use adaptive mode. This mode allows all traffic whilst reporting any blocks it would perform if the product was enabled. For more info see: https://docs.mcafee.com/bundle/endpoint-security-10.5.0-firewall-product-guide-epolicy-orchestrator-...
If you are trying to allow a specific application to run, you have two options. You can add the executable as a trusted executable. This is an executable you consider to be safe and all traffic using this will be allowed. If you want to be more restrictive, you can add the process of the executable into a firewall rule. which then specifies things like port, ip, etc.
Or going back to adaptive mode - rules created with adaptive mode appear within your ePO so you can easily add them via the actions tab to a policy.
Hope this helps!
Within the Firewall we have two rules, 1 rule that blocks and logs any events
Please make sure you're aware of this issue with having generic Firewall rules with logging enabled (e.g., custom "block all" rules),
KB90177 - Enabling Endpoint Security Firewall 'Treat match as intrusion', or 'Log matching traffic' logging options, might cause high CPU usage
I have added one of the software .exe's to the Trusted executables and I still see it listed in the top threats in the last 48 hours. This was two days ago.
I checked that I had both the Hash as well as the full path of the file. It still is displayed.
Does this mean it is just showing up as a threat and NOT being logged?
On one of your ENS Firewall clients, check the %ProgramData%\McAfee\Endpoint Security\Logs\FirewallEventMonitor.log file and verify if the application is being allowed via the ePOTrustedExecs rule. This is the rule that allows executable traffic that is set as a "Trusted Exectuable" in the Firewall Options policy. If it's still being blocked, then your Trusted Executable rule may not be configured properly (e.g., if you've configured a File Description in the executable details, you may have used the wrong value; ref https://kc.mcafee.com/corporate/index?page=content&id=KB71735; but certainly verify all the other executable details too). If you're using the Filename and Hash only, then the Hash may be different on other systems, which is why it may still be blocked. Verify the exectuable hash on the systems still reporting the blocked events.
Time: 06/06/2019 10:48:10 AM
IP Address: x.x.x.x
Description: SSH, TELNET AND RLOGIN CLIENT
Message: Allowed Outgoing TCP - Source x.x.x.x : (58585) Destination x.x.x.x : ssh (22)
Matched Rule: ePOTrustedExecs