I have Mcafeevirus scan enterprise 8.5.0i on my servers (2003 Standard), I checked the logs and 2 of the servers ( Domain controller (10.10.10.18) and the exchange server (10.10.10.9)) are showing up as mcafee blocking them in the access protection log files daily.
On the Exchange:
Blocked byport blocking rule - Anti-virus Standard Protection:Prevent IRC communication -10.10.10.18:6666
Blocked byport blocking rule - Anti-virus Standard Protection:Prevent IRC communication 10.10.10.18:6667
Blocked byport blocking rule Anti-virus Standard Protection:Prevent IRC communication 10.10.10.18:6668
On theDomain Controller:
Blocked byport blocking rule C:\WINDOWS\System32\dns.exe Anti-virusStandard Protection:Prevent IRC communication 10.10.10.9:6668
Blocked byport blocking rule C:\WINDOWS\system32\lsass.exe Anti-virus Standard Protection:Prevent IRCcommunication 10.10.10.9:6667
Should I exclude dns.exe and lsass.exe on the domain controller? And also allow irccommunication on the exchange box from the domain controller?
yeah known issue once i tryed to search for explanation , but this are windows AD(lsass) and you should create exclusions for them, and then everything should be fine but don't disable completly this rule
I would be cautious, because lsass.exe is a favourite place to hide under by trojans. Not suggesting you have this, but once you allow IRC port for lsass.exe, all the files that it loaded underneath might be able to use the same port under the name of lsass.
Please obtain information if dns.exe and lsass.exe really wants to use the ports in question and whether these ports cannot be changed to a value which does not conflict with this rule.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.