9 Replies Latest reply on Jun 7, 2016 11:41 AM by youngs

    Allow Rule for Executable Blocked by Default Block-All Rule

    vdinenna

      Hello,

       

      This is my first post.  I have no training in McAfee products and using ePO to manage HIPs, DLP, A/V and firewalls (FWs).  I can deploy agents, encrypt drives, use DLP to block or allow devices.

      Not versed on HIPs and FW.  The ePO server was setup by another admin in a remote location.  I have asked for help, but he washed his hands of setup questions.  Another more experienced local admin is confused by our issue, because it worked for another set of allowed applications/executables.

       

      I'm in a tough spot were I need to allow two executables to pass through the McAfee client firewall.  The client computer is making the request, but the server answers through a DCOM process where the port above 1023 is random.  This all takes place inside our network by developers and testers.  It does not go out to the internet.

       

      The request is allowed out as shown in the logs.

      The response is blocked and are exactly the executables that were allowed, punctuated by the reason: Block All Traffic.

      I moved the allow rule to the top of the list, but still superseded by the Block All rule.

       

       

       

       

      Navigator Server Executables

      Action:

      Allow

      Log matching traffic

      Direction:Either
      Media:All types (Wired,Wireless,Virtual)
      Protocol:All Protocols/Any
      Local networks
      Remote networks
      Local service:
      Remote service:
      Applications:
      NameFile nameFingerprintFile descriptionSigner
      Executable Rule
      Location:
      Timed group setting:
      Off-hours action:undefined
      Days:
      Start:0:00
      End:23:59
      Note:

      Navigator server components (including RemoteOverride and Poster) making DCOM callback to the workstation. The needed port to open is dynamically determined by DCOM system. Our components do not specify the port.

      Last modified:By vdinenna on 5/18/2016 4:08:57 PM

       

       

       

       

       

      Sample of Blocks

       

      Time:       5/16/2016 2:04:37 PM

      Event:      Traffic

      IP Address/User:       xxx.xxx.xxx.xxx

      Description:             PosterCallBack Module (PosterCallBack.exe)

      Path:        C:\Program Files (x86)\USERS\DSComponentSuite\DCOM\PosterCallBack.exe

      Message:  Blocked Incoming TCP -  Source xxx.xxx.xxx.xxx :  (62190)  Destination xxx.xxx.xxx.xxx :  (52980)

      Matched Rule:         Block All Traffic

       

       

      Time:       5/16/2016 2:03:03 PM

      Event:      Traffic

      IP Address/User:       10.200.6.100

      Description:             RemoteOverrideMM Module (RemoteOverrideMM.exe)

      Path:        C:\Program Files (x86)\USERS\DSComponentSuite\DCOM\RemoteOverrideMM.exe

      Message:  Blocked Incoming TCP -  Source xxx.xxx.xxx.xxx :  (62174)  Destination xxx.xxx.xxx.xxx :  (52968)

      Matched Rule:         Block All Traffic

       

       

       

       

       

       

       

      Agent information on local system.

       

      System Information

      Computer Name: xxxxxxxx

       

      McAfee Host Intrusion Prevention

      Version number: 8.0

      Build date: Wednesday, June 10, 2015

      Build Number: 8.0.0.3363

      License Type: Licensed

      Expiration Date

      Language: Automatic

      Security Content Version: 8.0.0.6952

      Security Content Created On: Tuesday, May 03, 2016

      Patch: 6

       

       

      McAfee Agent

      Version number: 4.8.0.1938

      Managed

      Last security update check: 5/25/2016 1:23:50 PM

      Last agent-to-server communication: 5/26/2016 9:34:30 AM

      Agent to Server Communication Interval (every): 1 hour

      Policy Enforcement Interval (every): 5 minutes

      Agent ID: {F6EE12A1-A359-xxxxx-xxxxx-A1D04546EC34}

      ePO Server/Agent Handler

      DNS Name: xxxxxxxx

      IP Address: xxxxxxxx

      Port Number: 443

       

       

      McAfee DLP Endpoint

      Version number: 9.2.200.60

      Language: English (United States)

       

       

      McAfee Endpoint Encryption Agent

      Version number: 7.0.3.413

      Language: Multiple

       

       

      McAfee File and Removable Media Protection

      Version number: 4.3.1.114

      Language: Multiple

       

       

      Endpoint Encryption for PC

      Version number: 7.0.3.413

       

       

      McAfee VirusScan Enterprise + AntiSpyware Enterprise

      Version number: 8.8.0 (8.8.0.1528)

      Build date: 2/12/2016

       

      Anti-virus License Type: licensed

       

      Scan engine version (32-bit): 5800.7501

       

      Scan engine version (64-bit): 5800.7501

       

      DAT version: 8175.0000

      DAT Created on: 5/24/2016

       

      Number of Signatures in extra.dat: 0

      Name of threats that extra.dat can detect: None

      Buffer Overflow and Access Protection DAT version: 739

       

      Installed Patches: 7

       

       

      Thanks,

       

      Vince