I have Mcafeevirus scan enterprise 8.5.0i on my servers (2003 Standard), I checked the logs and 2 of the servers ( Domain controller (10.10.10.18) and the exchange server (10.10.10.9)) are showing up as mcafee blocking them in the access protection log files daily.
On the Exchange:
Blocked byport blocking rule - Anti-virus Standard Protection:Prevent IRC communication -10.10.10.18:6666
Blocked byport blocking rule - Anti-virus Standard Protection:Prevent IRC communication 10.10.10.18:6667
Blocked byport blocking rule Anti-virus Standard Protection:Prevent IRC communication 10.10.10.18:6668
On theDomain Controller:
Blocked byport blocking rule C:\WINDOWS\System32\dns.exe Anti-virusStandard Protection:Prevent IRC communication 10.10.10.9:6668
Blocked byport blocking rule C:\WINDOWS\system32\lsass.exe Anti-virus Standard Protection:Prevent IRCcommunication 10.10.10.9:6667
Should I exclude dns.exe and lsass.exe on the domain controller? And also allow irccommunication on the exchange box from the domain controller?
yeah known issue once i tryed to search for explanation , but this are windows AD(lsass) and you should create exclusions for them, and then everything should be fine but don't disable completly this rule
i hope that this helps
I would be cautious, because lsass.exe is a favourite place to hide under by trojans. Not suggesting you have this, but once you allow IRC port for lsass.exe, all the files that it loaded underneath might be able to use the same port under the name of lsass.
Please obtain information if dns.exe and lsass.exe really wants to use the ports in question and whether these ports cannot be changed to a value which does not conflict with this rule.
Basiclly you should ask Microsoft why lsass and dns are using these ports, And information about how to change these ports or something like that.
On my site they are excluded from Irc port blocking and i don't have any problems.