Upgrading the Symantec Endpoint Protection (SEP) agent from 14.3.5413.3000 to 14.3.9210.6000 noticed timeouts on the ping and traceroute commands.
When we increase the timeout value to 15 seconds, we could see that ping and traceroute are possible however, it takes way too long.
After running a clean wipe and removing SEP, ping and traceroute are back to normal, and installing 14.3 RU6 again issue re-appears.
If the Reverse DNS option is disabled (under "Protection and Stealth" in the firewall policy), the issue is not observed.
With SEP 14.3 RU6 installed:
C:\Users\XYZ>ping x.x.x.x -w 15000
Pinging x.x.x.x with 32 bytes of data:
Reply from x.x.x.x: bytes=32 time=9376ms TTL=122
Reply from x.x.x.x: bytes=32 time=12178ms TTL=122
Reply from x.x.x.x: bytes=32 time=12283ms TTL=122
Reply from x.x.x.x: bytes=32 time=12058ms TTL=122
After uninstalling SEP:
Pinging x.x.x.x with 32 bytes of data:
Reply from x.x.x.x: bytes=32 time=74ms TTL=122
Reply from x.x.x.x: bytes=32 time=28ms TTL=122
Reply from x.x.x.x: bytes=32 time=29ms TTL=122
Reply from x.x.x.x: bytes=32 time=28ms TTL=122
The DNS packets received in response from the remote DNS server are terminated at the query section and do not have any additional bytes. Consequently, the SEP FW incorrectly considers these DNS response packets as invalid.