cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
julian.floyd
Level 8
Report Inappropriate Content
Message 1 of 11
‎04-11-2013 04:22 AM

How to suppress threat log entries?

Hi,

I am running EPO 4.6.2.

I have managed to configure EPO and VSE to allow Exchange to send emails but now my threat log is filling up with "Mass Mailing" threat messages  with the description of "Port blocking rule violation detected and NOT blocked". How to I stop these items appearing in the threat log?

There are similar un-enforced rules such as exe files running from the temp folder that also could do with the items not being logged.

I am missing important log items due to the volume of these messages.

Any suggestions please?

Thanks,

Julian

0 Kudos
Reply
10 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 11
‎04-11-2013 04:25 AM

Re: How to suppress threat log entries?

Hi Julian,

U can untick the check mark of report.

Accessprotection Properties-->Anti-Virus Standard Protection-->Prevent Mass mailing worms from sending mail

Hope this will helps you  🙂

0 Kudos
Reply
julian.floyd
Level 8
Report Inappropriate Content
Message 3 of 11
‎04-11-2013 04:36 AM

Re: How to suppress threat log entries?

Many thanks, I will give that a go.

I have been hunting through the manual for that and could not find it.

Regards,

Julian

0 Kudos
Reply
apoling
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 11
‎04-11-2013 05:25 AM

Re: How to suppress threat log entries?

Hi,

I'd definitely not do that but rather made sure which process is sending mails on port 25 and I'd put it on the exclusion list of the given rule, if necessary, which makes the entries go away for that partiticular process. To the contrary, I'd enable block and report for this rule and make just exclusions if necessary.

If you disable reporting you will never know of any malware sending spam from your client.

On the other hand please go thorugh the Access Protection policy for your clients and change to "block and report" any report-only rule.

It is not meaningful to use report-only rules in production (as opposed to testing a rule) just as to use block-only rules.

It is a different thing to decide which rules to use at all, but I recommend never use single action rule in production, only both actions.

Attila

0 Kudos
Reply
julian.floyd
Level 8
Report Inappropriate Content
Message 5 of 11
‎04-11-2013 06:01 AM

Re: How to suppress threat log entries?

Hi Attila,

I see the logic in that but how do I set an exclusion to allow the Exchange server to send correct emails if I keep the mass mailing worm rule?

This particular policy is only for the Exchange machine.

Thanks,

Julian

0 Kudos
Reply
apoling
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 11
‎04-11-2013 06:06 AM

Re: How to suppress threat log entries?

Hi Julian,

"simply" by looking at the AccessProtectionLog.txt on the Exchange server when you made an attempt to send an email using that server. It then should indicate the process name that was blocked.

Then this process name should be added to the exclusion list of the Access Protection rule in the virusscan policy that applies to this Exchange server and that's it. Next time that process is allowed to access port 25.

(just between parentheses: I'm surprised to hear that a process like that is not automatically included in the factory VSE package)

Attila

0 Kudos
Reply
julian.floyd
Level 8
Report Inappropriate Content
Message 7 of 11
‎04-11-2013 06:19 AM

Re: How to suppress threat log entries?

Thanks, that will be edgetransport.exe then. It is starnge that other exclusions already exist but that one does not.

I will try this and see what happens.

Regards,

Julian

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 8 of 11
‎04-11-2013 06:22 AM

Re: How to suppress threat log entries?

Julian,

Attila is 100% right here, Exclude the process Not the rule.And if you could possible let me know your OS version and Exchange version, I will some recommended exclusion as well.,

Regds

Alxn

0 Kudos
Reply
julian.floyd
Level 8
Report Inappropriate Content
Message 9 of 11
‎04-11-2013 06:34 AM

Re: How to suppress threat log entries?

Alxn,

Atilla's soultion is working - many thanks!

I am running Exchange 2007 on a Windows Server 2003 R2 machine. I have found the recomended exclusions but they didnt help with this one!

Regards,

Julian

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 10 of 11
‎04-11-2013 06:41 AM

Re: How to suppress threat log entries?

Great!  Julian!!You got the solution.

But  Recommended exclusion must be made to increase the performance and to prevent files to be currupted.

I would example, let's say if Exchange is processing any file and mean while OAS comes and locked the file for scanning then that file will be currupted and can cause serious issues to exchange server, SO I would suggest you to apply the recommended exclusions as well.

Regards

Alexn

Message was edited by: alexn on 4/11/13 8:42:23 AM CDT
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC