Need expert advice on following issue, any help would be greatly appreciated.
I am using a BI application on Windows Server 2003 which sends reports to end user on their email, I have McAfee installed on the same server. Since past few months I have observed that some times the end users are not getting emails. After investigating further I saw following event viewer warning messages at the same time when my BI application services were trying to send emails with multiple recepients.
Description: Would be blocked by access protection rule(rule is in warn-only mode) (Antivirus Maximum protection protected cached files from password and email address stealers.)
Description: Would be blocked by access protection rule(rule is in warn-only mode) (Antivirus Maximum protection prevent mass mailing warms from sending mail.)
After discussing this with my security admin he reviewed the McAfee logs and informed me that McAfee is not blocking any emails and these are just warning messages and we can ignore these.
Please let me know what does these warning messages mean?
Thanks a lot for your help.
To add, we have also unchecked "Prevent Mass Mailing Worms from sending mail (PORT 25)" by doing following steps.
-Right click on the McAfee Shield
-Select the Viruscan Console
-Double click access protection
-Under Ports to Block uncheck "Prevent Mass Mailing Worms from sending mail (PORT 25)"
Both rules are of much importance, specifically, "Prevent Mass Mailling Worms from sending mails".This rule protects you from fromSPAM emails attacks.
In both rules mentioned above, you must have seen a process which is blocked by these rules, simply add that process under "Excluded process".if you think that this process is from our legimetate application.
Enable this rule by selecting Block and Report and add exclusions. This is the good practice.
I'd just turn it off. It was interesting in 2005-2007 but these days all it does interfere with server applications sending email. I don't see any value in its use these days.
I actually see one value. It protects your company of receiving possible negative press because your clients were sending spam (which this would block). Or maybe that your company IP range gets into a Spam blacklist, preventing your company of sending legit emails for a certain time.
But that's about it.
Thank you all for your response, Its greatly appreciated. I shall discuss this with my security admin and will update you guys in case of any queries.
I'd like to complement all comments here.
In my opinion using an Access Protection rule only makes sense if you use both Block and Log. Using Block (unmonitored) only obviously makes no sense (apart from the case when you are a kamikaze blocker) and using Log only is only meaningful when you want to test a rule before you actually turn it fully on.
If you email environment is secured with respect to which client can connect to your SMTP server or email infrastructure, then turning off "Prevent mass mailing worms from sending email" rule might be justified but only selectively: if you have mobile clients do not turn this rule off in their VirusScan policy.
There is a document on Access Protection rules available here, should you be interested, here: