cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cglanzer
Level 7
Report Inappropriate Content
Message 1 of 8

Blocked by port blocking rule - Anti-virus Standard Protection:Prevent mass mailing worms from sending mail

Jump to solution

We have been noticing these entries in our access protection log and im a little unclear as to why we are getting them. Does anyone have any insight on how to fix this?

I have tried researching this issue without much luck.  Any help would be greatly appreciated. Thanks in advance for your help.

2/10/2012      9:34:42 AM      Blocked by port blocking rule       C:\Program Files\McAfee\RSD Sensor\RSSensor.exe      Anti-virus Standard Protection:Prevent mass mailing worms from sending mail      192.168.10.245:25

2/10/2012      9:36:00 AM      Blocked by port blocking rule       C:\Program Files\McAfee\RSD Sensor\RSSensor.exe      Anti-virus Standard Protection:Prevent mass mailing worms from sending mail      192.168.10.6:25

2/10/2012      9:37:26 AM      Blocked by port blocking rule       C:\Program Files\McAfee\RSD Sensor\RSSensor.exe      Anti-virus Standard Protection:Prevent mass mailing worms from sending mail      192.168.10.248:25

1 Solution

Accepted Solutions
andrep1
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 8

Re: Blocked by port blocking rule - Anti-virus Standard Protection:Prevent mass mailing worms from sending mail

Jump to solution

rssensor scans your detected device, it does OS fingerprinting in order to determine which type of device it is (Windows, MAC, Unix, router, printer, etc...) On a device running HIPS or VSE it might be seen as something malicious. In your case it is catching port 25 because it is a specific access proection rule but it is probably going through a lot of different ports to identify the OS of the detected device

If you go into your policies, rsd, general policies, detections you'll see the setting

View solution in original post

7 Replies
twenden
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 8

Re: Blocked by port blocking rule - Anti-virus Standard Protection:Prevent mass mailing worms from sending mail

Jump to solution

RSSensor is the rogue system sensor which is trying to send email. I don't use this in our environment but have had other programs be blocked from sending email.

If this is an epo managed system then you need to add rssensor.exe to the exceptions under "AntiVirus Standard Protection" and then "Prevent Mass Mailing worm" rule. I have to add custom programs to our rules as some of our servers run funky software that needs to send email. 

Access.JPG

Message was edited by: twenden on 2/10/12 1:09:46 PM CST
cglanzer
Level 7
Report Inappropriate Content
Message 3 of 8

Re: Blocked by port blocking rule - Anti-virus Standard Protection:Prevent mass mailing worms from sending mail

Jump to solution

I can see that, however I have a few follow up questions/statements.

Im curious to why the RSS sensor is trying to send emails in the first place and what type of emails are they etc. maybe im just a little paranoid but im new to this position and im having to figure all this out on my own. I guess im trying to say that I just dont want to allow this without knowing whats going on.

the three errors where on our domain controller, email server, and oddly a network printer. I just wanted to make sure we didnt have a virus before i just put this on the exception list.

Thanks again for your input. its much appreciated and it has helped already!

cglanzer
Level 7
Report Inappropriate Content
Message 4 of 8

Re: Blocked by port blocking rule - Anti-virus Standard Protection:Prevent mass mailing worms from sending mail

Jump to solution

ANYONE?

Re: Blocked by port blocking rule - Anti-virus Standard Protection:Prevent mass mailing worms from sending mail

Jump to solution

Rogue Sensor can be configured to do a number of things automatically if it detects a rogue system (deploy agent, query the system for information, etc)  one of the options is to send an email.

Check under Automatic Responses to see if it's configured that way.

cglanzer
Level 7
Report Inappropriate Content
Message 6 of 8

Re: Blocked by port blocking rule - Anti-virus Standard Protection:Prevent mass mailing worms from sending mail

Jump to solution

Thanks for the tip.

I went to Automatic Responses and every policy was disabled so im kinda lost as to how these are being sent.

andrep1
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 8

Re: Blocked by port blocking rule - Anti-virus Standard Protection:Prevent mass mailing worms from sending mail

Jump to solution

rssensor scans your detected device, it does OS fingerprinting in order to determine which type of device it is (Windows, MAC, Unix, router, printer, etc...) On a device running HIPS or VSE it might be seen as something malicious. In your case it is catching port 25 because it is a specific access proection rule but it is probably going through a lot of different ports to identify the OS of the detected device

If you go into your policies, rsd, general policies, detections you'll see the setting

View solution in original post

cglanzer
Level 7
Report Inappropriate Content
Message 8 of 8

Re: Blocked by port blocking rule - Anti-virus Standard Protection:Prevent mass mailing worms from sending mail

Jump to solution

AAAHHH That was it!

Thanks for that very helpful tid-bit! Its much appreciated!

On a side note, I have to admit that the EPO is by far the most unfirendly U.I. that I have ever had the pleasure(sarcasim) of working with... then I see that mcafee offers classes to learn their software, but the cost is outragious, almost 4K for a 5 day class.

Call me old fashioned but if i buy your software why would i have to pay you to teach me how to use it? That should be included with the already pricey product in my opinion.

Anyways, thanks again everyone for the tips!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community