To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

F-Secure blocking WMI and RPC...

Options
Aquaflow
Aquaflow W/ Alumni Posts: 11 Security Scout

Over the weekend, I pushed client 11.60 and while I am not sure if that is related or not, I can no longer do things like:

 

wmic /node:<machine name or IP> bios get serialnumber 

 

I get:

 

Node - <machine name or IP>
ERROR:
Description = The RPC server is unavailable.

 

I am preping a new system but have not pushed F-secure to it yet and this works fine.

 

I have other management systems that depend on RPC and WMI and need to get this back on.

 

Any ideas much appriciated.

Comments

  • Aquaflow
    Aquaflow W/ Alumni Posts: 11 Security Scout
    Options

    I went ahead and pushed the new machine - WMI and RPC no longer work.

     

    I am not sure what has happened other then pushing the new client (11.60).

     

     

     

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master
    Options

    Hello,

     

    Maybe add the "wmic" binary under antivirus exclusions and trusted processes in the FSPM central management and distribute the new policy to clients. That could work around the problem.

     

    Yours Sincerely: Tamas Feher, Hungary.

  • Aquaflow
    Aquaflow W/ Alumni Posts: 11 Security Scout
    Options

    WMI does not have a binary - it is a Windows service that is a sub process of svchost.exe - and so is RPC.  These two features of the Windows Management system are used by a number of management/monitoring/system information connection tools and it would seem funny if others are not having this problem.

  • Larry_FIN
    Larry_FIN W/ Alumni Posts: 1 Security Scout
    Options

    Hi!

     

    At least in F-Secure PSB, I got this working via application control. It's because WMI uses dynamic ports in addition to WMI static ports .

     

    http://community.f-secure.com/t5/End-point/Dynamic-firewall-rules/ta-p/20664

     

    Br,

     

    LarrY

This discussion has been closed.