Jump to content
technikarc

Firewall notifications not working

Recommended Posts

I have a program. It can connect to the internet when I disable firewall in policy and it can't connect when I enable firewall. All is correct. But Firewall pop-up notifications does not work at all although I enabled everything in Policy's Reports and Storages --> Notifications --> Firewall --> Notify on screen and Save in local log sections. I can find some notifications from Firewall in KSC Event tab, but they are old and not related to mentioned program activity even after several Forced Sync times. Other on-screen pop-up nnotifications like Application startup control is working correctly if I enable them in policy. What am I missing? KES v10.3.0.6294, Agent v10.4.343.

Screen Shot 08-28-17 at 09.49 PM.PNG

Edited by technikarc

Share this post


Link to post

Hello!

Could you please tell us if the notifications by mail are working?

And please precize, what machine should show the on-screen notifications?

Thanks!

Share this post


Link to post

No, email notifications does not work either. I had some notifications from other workstations like

[...]
Result\Description:    OK
Reason:                Skipped
[...]
[...]
Result\Description:    Not processed
Reason:                ---
[...]

but nothing about which app was blocked and with what attempt to connect.

From this particular workstation mentioned in the first post I'm not getting anything while I'm launching this particular app. Firewall is working though and looks like it's particularly blocking taskeng.exe process. But I why I'm not getting anything about it in Firewall pop-up or e-mail notifications?

Machine's OS is Windows 7 Professional SP1 (Windows Version 6.1 (Build 7601 Multiprocessor Free)).

First image is with Firewall disabled.

Second image is with Firewall enabled.

Third image is with notification settings (on screen notifications was disabled on that time but they do not either as mentioned earlier).

Firewall_Disabled.PNG

Firewall_Enabled.PNG

Notification_Settings.PNG

Edited by technikarc

Share this post


Link to post
1 hour ago, technikarc said:

No, email notifications does not work either. I had some notifications from other workstations like


[...]
Result\Description:    OK
Reason:                Skipped
[...]

[...]
Result\Description:    Not processed
Reason:                ---
[...]

but nothing about which app was blocked and with what attempt to connect.

From this particular workstation mentioned in the first post I'm not getting anything while I'm launching this particular app. Firewall is working though and looks like it's particularly blocking taskeng.exe process. But I why I'm not getting anything about it in Firewall pop-up or e-mail notifications?

Machine's OS is Windows 7 Professional SP1 (Windows Version 6.1 (Build 7601 Multiprocessor Free)).

First image is with Firewall disabled.

Second image is with Firewall enabled.

Third image is with notification settings (on screen notifications was disabled on that time but they do not either as mentioned earlier).

Firewall_Disabled.PNG

Firewall_Enabled.PNG

Notification_Settings.PNG

Hello,

please be more specific.

What notification should be triggered according with your expectations ?

Thank you.

 

Share this post


Link to post

Which executable file and to what IP/Port has tried to connect. I suppose it should be about Crtitical events --> Network activity blocked.

Share this post


Link to post
1 hour ago, technikarc said:

Which executable file and to what IP/Port has tried to connect. I suppose it should be about Crtitical events --> Network activity blocked.

Please attach export of KES log event where an event "Network activity blocked" is registered .

Thank you.

Share this post


Link to post

There is no records about "Network activity blocked" event in the Event Log for this particular workstation. There is no records about this event even from other 51 Workstations and server is running for about half an year now.  Event Log is working though.

Screen Shot 08-30-17 at 03.19 PM 000.PNG

Screen Shot 08-30-17 at 03.19 PM 001.PNG

Screen Shot 08-30-17 at 03.20 000PM.PNG

Screen Shot 08-30-17 at 03.20 PM 001.PNG

Screen Shot 08-30-17 at 03.20 PM 002.PNG

Screen Shot 08-30-17 at 03.21 000PM.PNG

Share this post


Link to post
В 8/30/2017 в 15:28, technikarc сказал:

There is no records about "Network activity blocked" event in the Event Log for this particular workstation. There is no records about this event even from other 51 Workstations and server is running for about half an year now.  Event Log is working though.

Please attach KES policy or screenshots of firewall rules in KES policy.

For what group did you create the policy ?

What event is usually registered when you try to access the Internet ?

Thank you.

 

 

Share this post


Link to post

Workstation is in group "RCG with-ASC-FW". Groups policy is inherited from "Managed Devices" (1-st screenshot).

I'm controling firewall mostly in "Application control rules" (2-nd screenshot). "Network packet rules" is mostly untouched except for two rules created by me and called "RCG MySQL" to open MySQL port for local networks (3-rd screenshot).

Now application I'm trying to launch is called "streamripper.exe" which is in "Low Restricted category". But as I'm calling it through "streamripper_newradio.cmd" script in Windows Task Scheduler, I must add the .cmd script to "Low Restricted" category as well  (2-nd screenshot). So it's all working fine. But if I remove "streamripper.exe" or "streamripper_newradio.cmd" script from "Low Restricted" category and Firewall starts blocking it, I'm getting no Event Log records about it. I tried to launch this scheduled task on 2017-08-30 17:29 and have no information about blocked connection in Even Log (5-th screenshot). I've done synchronization with the KSC couple of times after trying.

1.PNG

2.PNG

3.PNG

4.PNG

5.PNG

Share this post


Link to post
В 8/30/2017 в 18:14, technikarc сказал:

Workstation is in group "RCG with-ASC-FW". Groups policy is inherited from "Managed Devices" (1-st screenshot).

I'm controling firewall mostly in "Application control rules" (2-nd screenshot). "Network packet rules" is mostly untouched except for two rules created by me and called "RCG MySQL" to open MySQL port for local networks (3-rd screenshot).

Now application I'm trying to launch is called "streamripper.exe" which is in "Low Restricted category". But as I'm calling it through "streamripper_newradio.cmd" script in Windows Task Scheduler, I must add the .cmd script to "Low Restricted" category as well  (2-nd screenshot). So it's all working fine. But if I remove "streamripper.exe" or "streamripper_newradio.cmd" script from "Low Restricted" category and Firewall starts blocking it, I'm getting no Event Log records about it. I tried to launch this scheduled task on 2017-08-30 17:29 and have no information about blocked connection in Even Log (5-th screenshot). I've done synchronization with the KSC couple of times after trying.

Could you disable "inheritance" for your policy and disable " force inher.." for parent policy for troubleshooting purposes ?

Do you see registered block rules related with your app in APC ?

Thank you.

 

Share this post


Link to post

I could not disable inheritance in group "RCG with-ASC-FW" because these options where greyed out (1-st screenshot). So I copied this Policy from "Managed devices" and pasted in "RCG with-ASC-FW" category under name "Kaspersky Endpoint Security 10 Service Pack 2 for Windows (1)". Made it active and unchecked "Inherit policy top-level settings" from General tab, so it replaced the original. Now I can control policy directly from "RCG with-ASC-FW" group if it is whats needed.

Tried to launch app again at 2017-08-30 19:52, app said it cant connect to the resources, synced Workstation couple of times with KSC, still nothing (2-nd screenshot).

1.PNG

2.PNG

Share this post


Link to post
В 8/30/2017 в 19:57, technikarc сказал:

I could not disable inheritance in group "RCG with-ASC-FW" because these options where greyed out (1-st screenshot). So I copied this Policy from "Managed devices" and pasted in "RCG with-ASC-FW" category under name "Kaspersky Endpoint Security 10 Service Pack 2 for Windows (1)". Made it active and unchecked "Inherit policy top-level settings" from General tab, so it replaced the original. Now I can control policy directly from "RCG with-ASC-FW" group if it is whats needed.

Tried to launch app again at 2017-08-30 19:52, app said it cant connect to the resources, synced Workstation couple of times with KSC, still nothing (2-nd screenshot).

Please uncheck "force inheritance" in parent policy ( for managed devices )

Thank you.

 

Share this post


Link to post

Hi,

In that case please provide us wit KES traces collected  while the notification should be generated.

Please describe the screnario you`ve collected traces with.

Thank you!

Share this post


Link to post

I made KES traces following this instructions http://support.kaspersky.com/us/9343#howto.

And suddenly ran into another problem. After stopping KES through KSC, I couldn't start it - the KES message "Starting the application on the remote deive..." was not finnishing in about 5 minutes then the message appeared "The application could not be started". I restarted the computer. Tried to star/stop KES localy with the same result but without any message. This time I noticed that after stopping KES one of two processes named "avp.exe *32" ended. But after launching KES it does not reappeared. I tried this method two times with the same result. But lets leave this story in peace for now. To get KES traces as clean as it can be I restarted all process from the beginning.

Restarted Workstation with Traces disabled. Then enabled Traces with level "Low 600" and restarted Workstation again. After it restarted with Traces enabled I tried to start my application 3 times with 5 seconds pause from each attempt. Application said it cannot connect to the internet as expected. I disabled Traces right away and restarted Workstation once again.

I notice I do not get "Network activity blocked" messages in Event Log from any of my Workstations though Firewall is Enabled.

Looks like I'm not allowed to attach *.zip files so I'm sharing it from other resource.

Edited by technikarc
Could not attach Traces the first time. Looks like I'm not allowed to attach *.zip files

Share this post


Link to post
2 hours ago, technikarc said:

I made KES traces following this instructions http://support.kaspersky.com/us/9343#howto.

And suddenly ran into another problem. After stopping KES through KSC, I couldn't start it - the KES message "Starting the application on the remote deive..." was not finnishing in about 5 minutes then the message appeared "The application could not be started". I restarted the computer. Tried to star/stop KES localy with the same result but without any message. This time I noticed that after stopping KES one of two processes named "avp.exe *32" ended. But after launching KES it does not reappeared. I tried this method two times with the same result. But lets leave this story in peace for now. To get KES traces as clean as it can be I restarted all process from the beginning.

Restarted Workstation with Traces disabled. Then enabled Traces with level "Low 600" and restarted Workstation again. After it restarted with Traces enabled I tried to start my application 3 times with 5 seconds pause from each attempt. Application said it cannot connect to the internet as expected. I disabled Traces right away and restarted Workstation once again.

I notice I do not get "Network activity blocked" messages in Event Log from any of my Workstations though Firewall is Enabled.

Looks like I'm not allowed to attach *.zip files so I'm sharing it from other resource.

Hello,

do you find events in APC triggered in response to attempt to access the Internet ?

Thank you.

 

Share this post


Link to post

We do not use APC module. Only ASC is enabled. I get ASC messages in Event Log when they occur but not in this case. Looks like ASC has nothing to do with streamripper.exe because it is in white list. And yes - we are using whitelist in ASC instead of blacklist.

Share this post


Link to post

No, this was a clean install.

If I enable Firewall and it's on-screen or e-mail notifications in KSC policy, Firewall is sending me Notifications about "Object processed" or "Object not processed" but never about "Network activity blocked" from any of my Workstations.

Untitled.png

Untitled2.png

Share this post


Link to post

Even more, some of our Workstations must be restarted after some time to access network resources on various ports. We have data connection through port 8501, audio streaming through port 12345. After restarting all is working well for some time and some time after Workstation can no longer access these resources. I can't see none information about that because of not working Firewall notifications. In Firewall settings I'm using "Monitor all ports" and looks like Kaspersky can't handle this at all. It's a buggy module.
I gave you traces and all other information. Is there any possible workaround with this?

Share this post


Link to post

Is there any possibility to get preconfigured settings or policies that I can test if the problem is in them? Or is it just an annoying bug?

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.