MSExchangeDelivery.exe is being blocked HIPS 8.0. Here is the error
Event = Traffic
Application = MSExchangeDelivery.exe
Message = Blocking incoming TCP Source <IP Address>: (7407) Destination <IP Address>: (475)
Matched Rule = Block All Traffic
Steps taken to try and fix the issue
Allowed port 475
Allowed MSExchangeDelivery.exe and port 475 in the same rule.
Allowed MSExchangeDelivery.exe with any TCP ports.
Put machine in Adaptive mode, it works until the policy is applied again. Cannot find the log that states what the rule should be. I have checked the Menu> HIPS 8.0 > Firewall Client Rules, it is empty. Ran the task to populate that screen still empty. Where can I find a list of rules learned in adaptive mode.
Put machine in learn mode, again it works until policy is applied. I do not get prompts to allow any denied rules. And again I cannot find a log or screen that states what rules were applied.
Any assistance would be great.
Due to the "Block all traffic" rule blocking this traffic, this means that you do not have a Firewall rule in your policy to allow it. The Firewall rules you create may not have been configured correctly (or possibly enforced on the HIPS client) so it wasn't allowing the traffic still. You can review the HIPS Activity Log in the ClientUI to get the exact details of the blocked traffic (probably how you provided the previous info), but to allow this, you'd have to create a Firewall Rule and put it in your policy somewhere, so that this traffic is allowed before it gets to the BLOCK ALL rule.
It looks like the HIPS Firewall Adaptive mode is automatically creating the Firewall rule for you to make it work, so you just need to review what FW rule is created. If you have the RETAIN EXISTING CLIENT RULES option enabled in your Firewall Options policy, then the FW client rule will be uploaded to the ePO Server so that you can add the rule to your policy yourself. This would be the easiest way to review/add the needed rule to your policy to permanently allow the traffic. Be aware though that the client rule will use all specific info for that single instance, which will include specific Signer, File Description, and MD5 hash of the executable. You might want to modify the rule to make it a little less aggressive on executable checks, or you'll have to add more executable entries with similar exact file details in if there are multiple versions of the executable.
Related KB articles:
KB67055 - How to troubleshoot a network-facing application, or traffic that is blocked by Host Intrusion Prevention firewall
KB73399 - FAQs for Host Intrusion Prevention 8.0
PD22894 - Host Intrusion Prevention 8.0 Product Guide (Page 21, section "FAQ — Adaptive mode")
First I realized I forgot two things. The <Ip Address> for both the source and destination are the same. IP SPoofing is on. I could not find this setting in any firewall rule.
I configure the rule to allow the executable in and out. I verified the client received the rule, and it was still blocked.
I configured port 475 to allow TCP traffic to pass both in and out, verified the client updated the rule, still blocked.
I could not allow the inbound port since it is dynamic, but again I allowed the application for all ports, verified the client updated the policy and it still blocked it.
You are correct I viewed this in the Client Activity log. Any changes I made had no effect on the system. There are other rules set up to allow other exchange-related executable and they are allowed to pass.
I am trying to get the adaptive rules to populate in the ePO console but it will not show up. I have checked the window mentioned in the first post. I have also checked System Tree> Exchange client > installed products > HIPS 8.0 Firewall > Client Rules this has nothing populated as well. I am not sure if this is the correct path since I am not in front of the system right now.
Where else would these rules be listed?
I have put the Exchange server in Adaptive Mode for the night and set up automatic emails. I am hoping there will be something in the Client Rules tomorrow.
I have also set the FW Enable to retain the client rules for now. This will have to be turned off before the weekend.
Thanks for the help thus far.