cancel
Showing results for 
Search instead for 
Did you mean: 
cazulp
Level 7

Application rules have default of 'Match by Fingerprint'

We created our Firewall rules at the Client (without ePO) then installed the ePO Agent and imported the rules into ePO Console. I have since noticed that rules created manually and those 'Dynamically created via learn mode' have a default of 'Match by Fingerprint'. All appeared to be fine until last Tuesdays MS Patches. Suddenly all kinds of application rules were being  blocked. I got around this by changing to 'Match by Path' and inserting the full path. This is a lot of work to have to go through every time a fingerprint changes on an exe. What have other people done to overcome this issue.

0 Kudos
2 Replies
McAfee Employee

Re: Application rules have default of 'Match by Fingerprint'

Firewall rules that are built locally on clients (either manually, via Learn mode, or via Adaptive mode) automatically obtain and use the MD5 hash of applications.  When you import these rules into your firewall policy, you need to make a decision whether this rule will retain the MD5 hash or remove it.  This applies to other application information as well, like the full path name of the application.

If you decide to keep the MD5 hash of an application, the rule will only work for that specific build of the application.  If you have other application versions, with the same filename, in your environment, you would need to add more firewall rules for the same application and change the MD5 hash.

If you decide NOT to keep the MD5 hash of an application, the rule will work any application with the same path or name.

If you decide to keep the full path of the application (e.g., "C:\Program Files\Internet Explorer\Iexplore.exe"), the firewall rule will only work for the application in that specific path.  Or you can decide to not use the path and only use the application name, which would match the application by filename only (e.g., "Iexplore.exe")

It's all about how you decide to build your firewall rules by applying specific or non-specific information.  The more specific information you put in the firewall rule, the more firewall rules you will need for other versions/path names of that application, and vice-versa.

Typos corrected on 10/18/10 2:17:07 PM CDT

Message was edited by: Kary Tankink on 10/18/10 2:19:39 PM CDT
0 Kudos
cazulp
Level 7

Re: Application rules have default of 'Match by Fingerprint'

Thanks Kary - that certainly clears things up.

0 Kudos