2 Replies Latest reply on Oct 18, 2010 2:33 PM by cazulp

    Application rules have default of 'Match by Fingerprint'

    cazulp

      We created our Firewall rules at the Client (without ePO) then installed the ePO Agent and imported the rules into ePO Console. I have since noticed that rules created manually and those 'Dynamically created via learn mode' have a default of 'Match by Fingerprint'. All appeared to be fine until last Tuesdays MS Patches. Suddenly all kinds of application rules were being  blocked. I got around this by changing to 'Match by Path' and inserting the full path. This is a lot of work to have to go through every time a fingerprint changes on an exe. What have other people done to overcome this issue.

        • 1. Re: Application rules have default of 'Match by Fingerprint'
          Kary Tankink

          Firewall rules that are built locally on clients (either manually, via Learn mode, or via Adaptive mode) automatically obtain and use the MD5 hash of applications.  When you import these rules into your firewall policy, you need to make a decision whether this rule will retain the MD5 hash or remove it.  This applies to other application information as well, like the full path name of the application.

           

          If you decide to keep the MD5 hash of an application, the rule will only work for that specific build of the application.  If you have other application versions, with the same filename, in your environment, you would need to add more firewall rules for the same application and change the MD5 hash.

           

          If you decide NOT to keep the MD5 hash of an application, the rule will work any application with the same path or name.

           

          If you decide to keep the full path of the application (e.g., "C:\Program Files\Internet Explorer\Iexplore.exe"), the firewall rule will only work for the application in that specific path.  Or you can decide to not use the path and only use the application name, which would match the application by filename only (e.g., "Iexplore.exe")

           

          It's all about how you decide to build your firewall rules by applying specific or non-specific information.  The more specific information you put in the firewall rule, the more firewall rules you will need for other versions/path names of that application, and vice-versa.

           

           

          Typos corrected on 10/18/10 2:17:07 PM CDT

           

           

          Message was edited by: Kary Tankink on 10/18/10 2:19:39 PM CDT
          1 of 1 people found this helpful
          • 2. Re: Application rules have default of 'Match by Fingerprint'
            cazulp

            Thanks Kary - that certainly clears things up.