cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

"Prevent IRC Communication" Port Blocking Rule

Hello,

Wondering whether anyone could give me some advice. We currently use VSE 8.0i and since we've turned on the Notification option to give us better alerting (we were previously using Alert Manager), we've noticed that a number of our client machines and servers randomly report that the access protection rule which blocks IRC traffic on ports 6666-6669 (both inbound and outbound) have been triggered.

Now I know that none of our machines are setup to use IRC so it's obviously a bit suspicious and a little worrying. We first saw instances in the logs of our DNS servers, where our mail relay's were trying to perform DNS queries from them. The DNS servers are running VSE 8.0i and they would report that a connection from the mail relay to the DNS server would be blocked by this rule. This makes me think that this is affecting outgoing e-mail intermittently especially if an attempt is made by the mail relay to resolve a domain and it fails because the DNS server drops the packet.

We've also seen this rule triggered on client machines, usually indicating the OUTLOOK.EXE process was involved when it was talking to our internal mail server. Other processes we have seen mentioned in the Access Protection log file on servers are DNS.EXE, LSASS.EXE, INETINFO.EXE, SVCHOST.EXE and SNMP.EXE.

I've virus checked the machines which report the blocks but it finds nothing.

I looked through this forum a couple of weeks ago and someone had reported experiencing the similar problem a couple of months ago. One suggestion was that it could be that there isn't any IRC specific traffic but that the source port number on these machines could be randomly in the range 6666-6669 depending on what they are trying to communicate with at the other end (I guess anything!).

I know that I could add the names of the processes to the exception list for the IRC rule (like DNS.EXE) but I was just wondering if anyone else has experienced the same issue and could give me some advice on what they've done.

I apologise if I haven't explained this very well !!

Thanks

Mark
5 Replies
Highlighted
Level 7
Report Inappropriate Content
Message 2 of 6

Seen the same.

Hi. I have noticed the same issue in my computer lately, and so far I have not found any reports on this through googling a bit.

It seems that svchost.exe is trying to connect on two ports to 6666 in my nearest GW machine. Since my all-knowing administrators have disabled the ability for me to control the internal firewall, I cannot even disallow the connections. I really don't like processing opening ports all by them selves, paritcularly not on the IRC port.

Did you find anything on this yet?

Björn
Highlighted
Level 7
Report Inappropriate Content
Message 3 of 6

UPnP related

I believe I have found the cause for this. Using "tasklist /SVC" I checked the users of the svchost.exe PID that made the calls to 6666, and they were LmHosts, RemoteRegistry and SSDPSRV. SSDPSRV is the service that "Enables discovery of UPnP devices on your home network." When I disabled the SSDPSRV service, the requests stopped, so I guess that the requests were caused by some UPnP service in my router triggering some functions in Windows.

So I guess that the traffic is OK per se, but since I generally dislike anything automatic, communicating for itself and setting up things I have no control over, I will leave the UPnP service off, until I find some real need for it.

Hope this helps you too.

Björn
Highlighted

McAfee Blocks Media Sharing to XBOX360

This could also be due to Windows Media Player Sharing to an XBOX360 - I have been troubleshooting this problem for months and have not been able to figure out why I could not get the XBOX360 to see the WMP11 content. I added wmplayer.exe to the excluded list, and it solved the issue.

1. Right Click on McAfee Icon
2. Click "VirusScan Console..."
3. Double-Click "Access Protection" (Top option, should be Enabled)
4. Select "Prevent IRC communication" in the right-hand pane
5. Click "Edit"
6. In the "Processes to exclude:" field type w/o quotes: "wmplayer.exe"
7. Click "OK"
8. Click "Apply"
9. Click "OK"

Note that the WMP will still need the firewall ports opened to allow the communication.
Highlighted

Re: McAfee Blocks Media Sharing to XBOX360

Highlighted

Re: "Prevent IRC Communication" Port Blocking Rule

We had a similar issue but unfortunately ours wasn't in report only mode and blocked access to outlook for a complete site. If exchange decides to use a port such as 6668 to communicate on mcafee will block it. It is possible to limit which ports exchange can use by editing the registry but the chances of it happening are pretty slim. Im pretty sure any applications which use RPC ports can cause issues.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community