Troubleshoot Malicious Connection with Host Firewall

Available Languages

Download Options

  • PDF     (1.4 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.4 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.1 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 17, 2025
Document ID:223116

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to detect malicious connections on a Windows endpoint and block them using the Host Firewall in Cisco Secure Endpoint.

    Prerequisites

    Requirements

    • Host Firewall is available with Secure Endpoint Advantage and Premier packages.
    • Supported Connector Versions
      • Windows (x64): Secure Endpoint Windows connector 8.4.2 and later.
      • Windows (ARM): Secure Endpoint Windows connector 8.4.4 and later.

    Components Used

    This document is not restricted to specific software and hardware versions.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Troubleshoot Guide

    This document provides a guide to block malicious connections with the use of Cisco Secure Endpoint Host Firewall. In order to test, you use the test page malware.wicar.org (208.94.116.246) to create a troubleshoot guide.

    Steps to Identify and Block Malicious Connections

    1. First, you need to identify the URL or IP address you want to review and block. For this scenario consider malware.wicar.org.
    2. Verify if access to the URL is successful. malware.wicar.org redirects to a different URL, as show in the image.

    Browser Malicious URLBrowser Malicious URL

    3. Use the nslookup command to retrieve the IP address associated with the URL malware.wicar.org.

    nslookup Outputnslookup Output

    4. Once the malicious IP address is obtained, check the active connections on the endpoint with the command:netstat -ano.

    netstat for all Connectionsnetstat for all Connections

    5. In order to isolate active connections, apply a filter to display only established connections.

    netstat for Established Connectionsnetstat for Established Connections

    6. Look for the IP address obtained from thenslookupcommand in the previous output. Identify the source IP, destination IP, source port, and destination port.

    • Local IP: 192.168.0.61
    • Remote IP: 208.94.116.246
    • Local Port: Not Applicable
    • Destination Portto 80 and 443

    7. Once you have this information, navigate to the Cisco Secure Endpoint Portal to create the Host Firewall configuration.

    Host Firewall Configuration and Rule Creation

    1. Navigate toManagement > Host Firewalland clickNew Configuration.Host Firewall New ConfigurationHost Firewall New Configuration
    2. Select a name and theDefault Action. In this case, select Allow.Host Firewall Configuration Name and Default ActionHost Firewall Configuration Name and Default Action
      note-icon

      Note: Keep in mind that you create a block rule, but you must allow other traffic to avoid impact on legitimate connections.

    3. Verify that the default rule has been created and clickAdd Rule.Add Rule in Host FirewallAdd Rule in Host Firewall
    4. Assign a name and set the next parameters:
      • Position: Top
      • Mode: Enforce
      • Action: Block
      • Direction: Out
      • Protocol: TCPRule General ParametersRule General Parameters
        note-icon

        Note: When you address malicious connections from an internal endpoint to an external destination, typically to the internet, the direction can always be Out.

    5. Specify the local and destination IPs:
      • Local IP: 192.168.0.61
      • Remote IP: 208.94.116.246
      • Leave theLocal Portfield blank.
      • Set theDestination Portto 80 and 443, these correspond to HTTP and HTTPS.Rule Addresses and PortsRule Addresses and Ports

    6. Finally, clickSave.

    Enable Host Firewall in the Policy and Assign the New Configuration

    1. In the Secure Endpoint Portal, navigate toManagement > Policiesand select the policy associated with the endpoint where you want to block malicious activity.
    2. ClickEditand navigate to theHost Firewalltab.
    3. Enable the Host Firewall feature and select the recent configuration, in this case MaliciousConnection.Host Firewall Enabled in Secure Endpoint PolicyHost Firewall Enabled in Secure Endpoint Policy
    4. Click Save.
    5. Finally, verify that the endpoint has applied the policy changes.Policy Update EventPolicy Update Event

    Validate the Configuration Locally

    1. Use the URL malware.eicar.org in a browser to confirm that it is blocked.Error Network Access Denied from BrowserError Network Access Denied from Browser
    2. After you confirm the block, verify that no connections are established. Use the command netstat -ano | findstr ESTABLISHED to ensure the IP associated with the malicious URL (208.94.116.246) is not visible.

    Review Logs

    1. On the endpoint, navigate to the folder:

    C:\Program Files\Cisco\AMP\<Connector version>\FirewallLog.csv

    note-icon

    Note: The log file is located in the folder <install directory>\Cisco\AMP\<Connector version>\FirewallLog.csv

    2. Open the CSV file to validate matches for the Block action rule. Use a filter to distinguish between Allow and Block connections.Firewall Logs in CSV FileFirewall Logs in CSV File

    Use Orbital to Retrieve Firewall Logs

    1. In the Secure Endpoint Portal, navigate toManagement > Computers, locate the endpoint, and clickRetrieve Firewall Logs in Orbital. This action redirects you to the Orbital Portal.Button to Retrieve Firewall Logs in OrbitalButton to Retrieve Firewall Logs in Orbital
    2. In the Orbital Portal, clickRun Query. This action displays all logs recorded on the endpoint for the Host Firewall.Run Query from OrbitalRun Query from Orbital
    3. The information is visible in theResultstab, or you can download it.Query Results from OrbitalQuery Results from Orbital

    Revision History

    Revision Publish Date Comments
    1.0
    20-Jun-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Uriel Zamora Hernandez
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products