After you install or upgrade to ENS 10.7.0, network traffic via the SYSTEM process is allowed by a McAfee core networking rule named "Allow McAfee signed applications." This fact affects SYSTEM-based network traffic, such as NetBIOS and SMB (for example, port 137, 138, and 445). The ENS Firewall processes firewall rules from a top-to-bottom order and "Allow McAfee signed applications" is toward the top of this list. If you created firewall rules to allow or block this type of SYSTEM-based network traffic, they do not apply. The reason is because the "Allow McAfee signed applications" firewall rule is processed before any other firewall rules.
Example of related SYSTEM network traffic:
Time: 12/02/2019 11:22:48 AM
Event: Traffic
IP Address: x.x.x.x
Description: SYSTEM
Path: System
Message: Allowed Outgoing UDP - Source x.x.x.x : netbios_dgm (138) Destination x.x.x.x : netbios_dgm (138)
Matched Rule: Allow McAfee signed applications
Time: 12/02/2019 11:22:55 AM
Event: Traffic
IP Address: x.x.x.x
Description: SYSTEM
Path: System
Message: Allowed Incoming UDP - Source x.x.x.x : netbios_ns (137) Destination x.x.x.x : netbios_ns (137)
Matched Rule: Allow McAfee signed applications
Time: 12/02/2019 11:25:41 AM
Event: Traffic
IP Address: x.x.x.x
Description: SYSTEM
Path: System
Message: Allowed Outgoing TCP - Source x.x.x.x : (49704) Destination x.x.x.x : msds (445)
Matched Rule: Allow McAfee signed applications
