cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Access protection - Blocked byport blocking rule - DNS.exe and Lsass.exe

I have Mcafeevirus scan enterprise 8.5.0i on my servers (2003 Standard), I checked the logs and 2 of the servers ( Domain controller (10.10.10.18) and the exchange server (10.10.10.9)) are showing up as mcafee blocking them  in the access protection log files daily.

On the Exchange:

Blocked byport blocking rule - Anti-virus Standard Protection:Prevent IRC communication -10.10.10.18:6666

Blocked byport blocking rule - Anti-virus Standard Protection:Prevent IRC communication 10.10.10.18:6667

Blocked byport blocking rule Anti-virus Standard Protection:Prevent IRC communication         10.10.10.18:6668

On theDomain Controller:

Blocked byport blocking rule C:\WINDOWS\System32\dns.exe         Anti-virusStandard Protection:Prevent IRC communication  10.10.10.9:6668

Blocked byport blocking rule   C:\WINDOWS\system32\lsass.exe      Anti-virus Standard Protection:Prevent IRCcommunication  10.10.10.9:6667

Should I exclude dns.exe and lsass.exe on the domain controller? And also allow irccommunication on the exchange box from the domain controller?

3 Replies

Access protection - Blocked byport blocking rule - DNS.exe and Lsass.exe

yeah known issue once i tryed to search for explanation , but this are windows AD(lsass) and you should create exclusions for them, and then everything should be fine but don't disable completly this rule

i hope that this helps

apoling
Level 14
Report Inappropriate Content
Message 3 of 4

Access protection - Blocked byport blocking rule - DNS.exe and Lsass.exe

I would be cautious, because lsass.exe is a favourite place to hide under by trojans. Not suggesting you have this, but once you allow IRC port for lsass.exe, all the files that it loaded underneath might be able to use the same port under the name of lsass.

Please obtain information if dns.exe and lsass.exe really wants to use the ports in question and whether these ports cannot be changed to a value which does not conflict with this rule.

Attila

Access protection - Blocked byport blocking rule - DNS.exe and Lsass.exe

Basiclly you should ask Microsoft why lsass and dns are using these ports, And information about how to change these ports or something like that.

On my site they are excluded from Irc port blocking and i don't have any problems.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center