When using VirtualBox network bridging, SEP blocks outgoing traffic
search cancel

When using VirtualBox network bridging, SEP blocks outgoing traffic


Article ID: 164791


Updated On:


Endpoint Protection


When using VirtualBox network bridging, Symantec Endpoint Protection (SEP) blocks virtual machines' outgoing traffic in relation to specific applications.

NAT - Working

2/10/2017 7:14:40 PM    Allowed    5    Outgoing    TCP    ocsp.entrust.net []    00-10-DB-FF-20-80    80   78-AC-C0-B2-68-54   57527   C:\Program Files\Oracle\VirtualBox\VirtualBox.exe   Admin   SYMC  Default   1    
2/10/2017 7:14:39 PM    
2/10/2017 7:14:39 PM    Allow All Application
Network Bridging - Not working

2/10/2017 7:24:51 PM	Blocked	   15	Outgoing    TCP	   www.msn.com  []	00-10-DB-FF-20-80    80    08-00-27-D0-7C-65	  49558   Admin   SYMC   Default   3	
2/10/2017 7:24:41 PM	
2/10/2017 7:24:50 PM	Block all other IP traffic and log


SEP (all versions)


As an application's process ID is not attached to any TCP/IP packet and cannot be acquired directly from the packet layer where Teefer implements its firewall functionality, Teefer uses an intermediary driver to try to obtain the process ID:
1. Our Network Security Driver (SND, better known as SymTDI or SymNets) monitors application layer activity using filters near the top of the network stack and maintains a database of active connections. This database correlates the network endpoint information (IP addresses and ports) with the process information.
2. Teefer then queries SND for application data on the basis of endpoint information found at the packet layer.

Typical virtualization solutions, including VirtualBox, use the client network stack to manage connections. A “sideband” communication with a proxy device driver or other application is used to relay packets between the virtual NIC and the actual NIC. Packets can be exchanged in one of the following ways:

1. Directly with an actual NIC (as an NDIS client). The application layer filters are bypassed completely and SND will have no record of any connection.
2. By attaching to the top of the TCP/IP stack and accessing it in “raw” packet mode. The process ID may be available depending on the thread that created the connection (it could be “SYSTEM”).
Either way, SND operation is limited to the information provided by the operating system. WPP tracing can reveal which connections are seen by SND and which queries are made by Teefer. By gathering WPP tracing, it was determined that the root cause is that we do not get a system callback from the OS when VirtualBox makes the connection in Bridge mode. Therefore, we cannot add the connection to the table a query for the same returns NOT_FOUND (c0000225) and the packet is dropped.


While this is a limitation of our SND driver, one way this issue could be resolved is by using the virtual machine's IP address to filter the traffic. More specifically, by adding the virtual machine's IP address as the Local Address in the Allow * Application, it will allow all packets sent from the virtual machine, even though no application is associated.