Verify that the remote IP address isn't added to the block list in the Firecore drivers via an ENS Threat Prevention Network IPS (NIPS) signature violation. The ENS Firecore driver manages network traffic to/from the system. A remote IP address is added to the block list within the ENS Firecore driver in the following scenarios:
- If the NIPS feature Automatically block network intruders is enabled in the ENS Threat Prevention, Exploit Prevention policy menu.
- If a remote IP address has triggered any of the ENS Threat Prevention NIPS signatures.
The firewall rule matches the network traffic correctly to allow it, but the IP address is in the block list within Firecore. So, the network traffic is blocked. This behavior is working as designed.
To verify whether the IP address is in the block list, open an administrator command prompt and run the command below. The command shows the IP address and the related block timeout value.
"c:\Program Files\Common Files\McAfee\SystemCore\fwinfo.exe" -blacklistdisplay
Example:
Logging option is 0
Low: 10.10.10.1
High: 10.10.10.1
Time to live: 3600
Time remaining: 2218
Auto create is true
NOTE: The ENS Threat Prevention Exploit Prevention policy feature
Number of seconds (1–9999) to block sets the "Time to live" value.
