Microsoft windows platform

Issue: Event ID 5157 shows WFP blocking some exes like symantec, sametime, svchost etc because of which live update or definition update does not happens.

Error message: The Windows Filtering Platform has blocked a connection

Application Name: \device\harddiskvolume2\program files\symantec\symantec endpoint protection\smc.exe

Application Name: \device\harddiskvolume2\program files\symantec\liveupdate\lucomserver_3_3.exe

Note: In our syatems Windows firewall service is running & Windows firewall from control panel is disabled. what could be the issue?

Complete error message below.

Security Audit Failure

The Windows Filtering Platform has blocked a connection.Application Information:

Application Name:\device\harddiskvolume2\program files\symantec\symantec endpoint protection\smc.exe

Filter Run-Time ID:0

Layer Run-Time ID:48

This issue may occur if the WFP audit is enabled. I suggest you try to disable WFP auditing to troubleshoot this issue. Run the following command:

auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure: disable

auditpol /set /subcategory:"Filtering Platform Connection" /success: disable /failure: disable

For more information about WFP audit, please refer to the articles:

TechNet Community Support

• Marked as answer by Sabrina Shen Thursday, September 27, 2012 8:01 AM

All replies

This issue may occur if the WFP audit is enabled. I suggest you try to disable WFP auditing to troubleshoot this issue. Run the following command:

auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure: disable

auditpol /set /subcategory:"Filtering Platform Connection" /success: disable /failure: disable

For more information about WFP audit, please refer to the articles:

TechNet Community Support

• Marked as answer by Sabrina Shen Thursday, September 27, 2012 8:01 AM

Sorry but there is something that doesn't make sense here for me. the commands:

auditpol /set /subcategory: bla bla bla bla

Will only disable the logging of such events but wont prevent the MFP to block the connection, am i right?.

Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.