I am running an unmanaged SEP 11.0.503.333 client in Hyper-V on server 2008 r2. When I install the unmanaged client, the server stops replying to echo requests. Wireshark trace shows that the ICMP packets are being received. This problem arrises if the SEP unmanaged client is installed. Event Viewer shows the following: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 11/10/2010 3:31:42 PM Event ID: 5152 Task Category: Filtering Platform Packet Drop Level: Information Keywords: Audit Failure User: N/A Computer: SERVER1.test.domain Description: The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 78.14.221.45 Source Port: 0 Destination Address: 78.14.221.44 Destination Port: 8 Protocol: 1 Filter Information: Filter Run-Time ID: 66622 Layer Name: Receive/Accept Layer Run-Time ID: 44 The odd part being that this message is that .44 is the local IP, and .45 is another server, but is being labled as 'inbound'. This even is only created when the other server (.45) tries to ping the server with the unmanaged SEP client (.44). The problem goes away if the unmanaged client is uninstalled. I have allowed inbound and outbound ICMPv4 echo requests/response.

Yes, you will only see this when the .45 machine tries to communicate with the .44 one. The source address gives you the IP address which is the source of the packet, which is 78.14.221.45 . The destination address tells you where the packet is going, which is 78.14.221.44 . What inbound and outbound refer to depends on what your point of reference is. What is inbound on one system will be outbound from another. A packet being marked as inbound does not necessarily mean that it was inbound to the network monitor. Bill

Hi, Thanks for posting here. I suspect that this may a known issue , please follow the instructions below that are provided by Symantec to upgrade the software to the latest version of Symantec Endpoint Protection : http://www.symantec.com/business/support/index?page=content&id=TECH102742&locale=en_US Thanks. Tiger LiPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.