We have recently purchased open space for enterprise and are going through creating our anti-hacker rules. Just about when we thought we had everything all worked out, we have hit a wall and need some help.

We need to be notified of any "out of the ordinary" activity hitting our workstations. As such, we have created a block all port rule to log an event whenever something does not get allowed by any of the previous rules. This is all working well, except now when a Windows 2000 user opens a document from our SharePoint site. When a user does this, we get 3 anti-hacker log entries. The first one is from 0.0.0.0 to the ip address of the machine that is making the request. Not actual localhost (127.0.0.1), but the localhost's ip, (eg 10.3.2.3). The port appears to be an RPC port (always incrementing). The next to hits are same, but actually going to true localhost (127.0.0.1).

We cannot make a rule to allow this traffic. We either need to be able to have an application rule that gets processed before the port rules (So we can allow word and excel to do this), or a way to allow connections to the localhost's true ip address. We are using the admin kit to deploy and manage the policies.

I hope my explanation made sense. If anyone has any ideas on how to work around this, we would greatly appreciate it.



-Matt