We are currently rolling out HIPS 8, and have configured a default firewall ruleset which covers all the standard apps we run across the company. There are a few users, probably around 15 out of 2000, who use Dropbox. We don't consider Dropbox a standard, so it isn't in the ruleset.
Currently, HIPS is running in Learn mode, so the users of Dropbox are constantly seeing firewall alerts with the following info:
Local Port: 17500
Local Address: 255.255.255.255
Remote Address: internal IP
Remote Port: 17500
When these alerts come up, the users click on Allow, but it doesn't generate a dynamic rule. Am I correct in thinking this is expected behavior since it is incoming UDP traffic? If not, why isn't it saving a dynamic rule on the receiver's machine?
If I'm following the flow correctly, it looks like Computer A has a Dropbox client installed, and that client is sending broadcast traffic. When it hits Computer B, which also has a Dropbox client, it throws up the alert on Computer B, and at that point they can either Allow or Deny the traffic.
Not sure if it matters, but we're running ePO 4.6.6, VSE 8.8, and MA 4.6. All clients are running Win7. HIPS 8 is at patch 2 with the latest hotfix.
Thanks for any info you can provide.