3 Replies Latest reply on Oct 26, 2016 1:06 AM by Daniel_S

    Executable verification Rule (ENS 10.2 Firewall)

    fabiansz

      Hi there

       

      Since mid September I see the following events in ePO:

      - LYNC.EXE attempted to access x.x, violating the rule Executable verification Rule and was Blocked.

      - OUTLOOK.EXE attempted to access x.x, violating the rule Executable verification Rule and was Blocked.

      - IEXPLORE.EXE attempted to access x.x, violating the rule Executable verification Rule and was Blocked.

      - WMIPRVSE.EXE attempted to access x.x, violating the rule Executable verification Rule and was Blocked.

      ...and so on. All outgoing.

       

      But my firewall config does NOT block any outgoing connections!

       

      What is this "Executable verification Rule"? Where do I find it? What does it do? How can I configure it? Where is this function documented? I did not find any reference in any document.

      I am NOT using the "Enable dynamic block rules" option. I am NOT using GTI either.

       

      So, why is ENS 10.2 adding additional rules to my policies without letting me know?

      I am engineering ENS 10.1 since last december. I am pretty sure this is a new behavior since 10.2.

       

      Any hints appreciated.

        • 1. Re: Executable verification Rule (ENS 10.2 Firewall)
          Daniel_S

          I can just give you a hint as I´m just getting familiar with the Firewall:

           

          Under Endpoint Security Firewall :Firewall > Options > Your Rule

           

          At the very bottom there is an option for trusted executables.

          Maybe you can try to add them there and have a look if the errors still accour.

           

          Regards

          Dan

          • 2. Re: Executable verification Rule (ENS 10.2 Firewall)
            fabiansz

            Hi Daniel

            Thanks for your reply!

            That's what Support told me to do. But this would create a bi-directional rule on top that allows ANY communication of that EXE. That's not a solution.

             

            The strange thing I noticed are log entries like "Setting the FW bBlockUntrusted to 1 succeeded" and later "Setting the FW bBlockUntrusted to 0 succeeded". But there exists no policy at all with "Block all untrusted executables" enabled on my ePO. And I have 2 ePOs running. Clients on both servers suffered from that condition. Even the two default McAfee Policies do not have this option checked.

             

            So, noone knows why the heck my clients sometimes get the setting BlockUntrusted = 1 and from where.

            What I can say now......it disappeared since I re-saved EVERY policy on the server. Changed one checkbox --> SAVE......changed back that checkbox --> SAVE again.

             

            Hoping now the error is gone.

             

            Regards

            Fabian

            • 3. Re: Executable verification Rule (ENS 10.2 Firewall)
              Daniel_S

              Okay then i hope that did the trick for you.

              My next guess would be that it is one of the rules the sets dynamic firewall rules.

              I know you said these options are unchecked, but maybe something went wrong during saving or what not. So in this case saving them again should do the trick.

               

              Best regards

              Dan