Windows 7 Firewall Questions - Logging and Blocking Outbound connections
I have a couple of questions regarding the Windows 7 Firewall. First, I need to block ALL outbound connections, except for those that I explicitly allow. I've gotten this to work, but not exactly how I want. Blocking works and I can get 2 of the 3 applications that I need to work. However, the 3rd (McAfee VirusScan Enterprise) is unable to update. I've unblocked one app (mcupdate.exe) but there's apparently something else that needs to be unblocked. How do I determine which McAfee applications should be given permission to make an outbound connection? Which leads me to my second question: Does the Windows 7 Firewall log blocked outbound traffic? I've found some information in the Event Log but it's only logged things like rule changes. There's also a dropped packet log, but that doesn't tell me what application was blocked, only the destination address. So, my question really becomes, while blocking outbound connections, does Win7 log those events? And, how do I determine which applications need to be unblocked when I want something to communicate?
June 11th, 2010 12:12am

Hi, Please try the following: 1. Enable IPsec and Windows Firewall Audit Events 2. Check the related events referring to the following document: Description of security events in Windows 7 and in Windows Server 2008 R2 From the document, we can see the ID 5031, 5155 and 5157 means a connection is blocked. Hope this helps. Thanks. Nicholas Li - MSFT
Free Windows Admin Tool Kit Click here and download it now
June 14th, 2010 12:34pm

Here is a bit more information on how to enable auditing: From: http://msdn.microsoft.com/en-us/library/bb309058.aspx Run the following command from an admininistrative command prompt on the system you would like to enable the logging on: auditpol /set /subcategory:"{0CCE9225-69AE-11D9-BED3-505054503030}" /failure:enable These are logged into the System Security Log in Event Viewer. Sample: The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 1392 Application Name: \device\harddiskvolume2\sample path\application123.exe Network Information: Direction: Outbound Source Address: 192.168.228.100 Source Port: 65443 DestinationAddress: x.x.x.x DestinationPort: 443 Protocol: 6 Filter Information: Filter Run-Time ID: 71069 Layer Name: Connect Layer Run-Time ID: 48
September 20th, 2011 8:38pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics