Hi Issue: Event ID 5157 shows WFP blocking some exes like symantec, sametime, svchost etc because of which live update or definition update does not happens. Error message:The Windows Filtering Platform has blocked a connection Application Name: \device\harddiskvolume2\program files\symantec\symantec endpoint protection\smc.exe Application Name: \device\harddiskvolume2\program files\symantec\liveupdate\lucomserver_3_3.exe Note: In our syatems Windows firewall service is running & Windows firewall from control panel is disabled. what could be the issue? Complete error message below. Security Audit Failure Microsoft-Windows-Security-Auditing Eventid:5157 The Windows Filtering Platform has blocked a connection.Application Information: Process ID:1604 Application Name:\device\harddiskvolume2\program files\symantec\symantec endpoint protection\smc.exe Network Information: Direction:16044593 Source Address:XXX.XX.XXX.XXX Source Port:57686 Destination Address:XXX.XX.XX.XXX Destination Port:80 Protocol:6 Filter Information: Filter Run-Time ID:0 Layer Name:16044611 Layer Run-Time ID:48

Hi, This issue may occur if the WFP audit is enabled. I suggest you try to disable WFP auditing to troubleshoot this issue. Run the following command: auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure: disable auditpol /set /subcategory:"Filtering Platform Connection" /success: disable /failure: disable For more information about WFP audit, please refer to the articles: Auditing Troubleshooting Firewall-Related IssuesTracy Cai TechNet Community Support