Hi,
I am running EPO 4.6.2.
I have managed to configure EPO and VSE to allow Exchange to send emails but now my threat log is filling up with "Mass Mailing" threat messages with the description of "Port blocking rule violation detected and NOT blocked". How to I stop these items appearing in the threat log?
There are similar un-enforced rules such as exe files running from the temp folder that also could do with the items not being logged.
I am missing important log items due to the volume of these messages.
Any suggestions please?
Thanks,
Julian
Hi Julian,
U can untick the check mark of report.
Accessprotection Properties-->Anti-Virus Standard Protection-->Prevent Mass mailing worms from sending mail
Hope this will helps you 🙂
Many thanks, I will give that a go.
I have been hunting through the manual for that and could not find it.
Regards,
Julian
Hi,
I'd definitely not do that but rather made sure which process is sending mails on port 25 and I'd put it on the exclusion list of the given rule, if necessary, which makes the entries go away for that partiticular process. To the contrary, I'd enable block and report for this rule and make just exclusions if necessary.
If you disable reporting you will never know of any malware sending spam from your client.
On the other hand please go thorugh the Access Protection policy for your clients and change to "block and report" any report-only rule.
It is not meaningful to use report-only rules in production (as opposed to testing a rule) just as to use block-only rules.
It is a different thing to decide which rules to use at all, but I recommend never use single action rule in production, only both actions.
Attila
Hi Attila,
I see the logic in that but how do I set an exclusion to allow the Exchange server to send correct emails if I keep the mass mailing worm rule?
This particular policy is only for the Exchange machine.
Thanks,
Julian
Hi Julian,
"simply" by looking at the AccessProtectionLog.txt on the Exchange server when you made an attempt to send an email using that server. It then should indicate the process name that was blocked.
Then this process name should be added to the exclusion list of the Access Protection rule in the virusscan policy that applies to this Exchange server and that's it. Next time that process is allowed to access port 25.
(just between parentheses: I'm surprised to hear that a process like that is not automatically included in the factory VSE package)
Attila
Thanks, that will be edgetransport.exe then. It is starnge that other exclusions already exist but that one does not.
I will try this and see what happens.
Regards,
Julian
Julian,
Attila is 100% right here, Exclude the process Not the rule.And if you could possible let me know your OS version and Exchange version, I will some recommended exclusion as well.,
Regds
Alxn
Alxn,
Atilla's soultion is working - many thanks!
I am running Exchange 2007 on a Windows Server 2003 R2 machine. I have found the recomended exclusions but they didnt help with this one!
Regards,
Julian
Great! Julian!!You got the solution.
But Recommended exclusion must be made to increase the performance and to prevent files to be currupted.
I would example, let's say if Exchange is processing any file and mean while OAS comes and locked the file for scanning then that file will be currupted and can cause serious issues to exchange server, SO I would suggest you to apply the recommended exclusions as well.
Regards
Alexn
Message was edited by: alexn on 4/11/13 8:42:23 AM CDT
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA