cancel
Showing results for 
Search instead for 
Did you mean: 

How to suppress threat log entries?

Hi,

I am running EPO 4.6.2.

I have managed to configure EPO and VSE to allow Exchange to send emails but now my threat log is filling up with "Mass Mailing" threat messages  with the description of "Port blocking rule violation detected and NOT blocked". How to I stop these items appearing in the threat log?

There are similar un-enforced rules such as exe files running from the temp folder that also could do with the items not being logged.

I am missing important log items due to the volume of these messages.

Any suggestions please?

Thanks,

Julian

10 Replies

Re: How to suppress threat log entries?

Hi Julian,

U can untick the check mark of report.

Accessprotection Properties-->Anti-Virus Standard Protection-->Prevent Mass mailing worms from sending mail

Hope this will helps you  🙂

Re: How to suppress threat log entries?

Many thanks, I will give that a go.

I have been hunting through the manual for that and could not find it.

Regards,

Julian

apoling
Level 14
Report Inappropriate Content
Message 4 of 11

Re: How to suppress threat log entries?

Hi,

I'd definitely not do that but rather made sure which process is sending mails on port 25 and I'd put it on the exclusion list of the given rule, if necessary, which makes the entries go away for that partiticular process. To the contrary, I'd enable block and report for this rule and make just exclusions if necessary.

If you disable reporting you will never know of any malware sending spam from your client.

On the other hand please go thorugh the Access Protection policy for your clients and change to "block and report" any report-only rule.

It is not meaningful to use report-only rules in production (as opposed to testing a rule) just as to use block-only rules.

It is a different thing to decide which rules to use at all, but I recommend never use single action rule in production, only both actions.

Attila

Re: How to suppress threat log entries?

Hi Attila,

I see the logic in that but how do I set an exclusion to allow the Exchange server to send correct emails if I keep the mass mailing worm rule?

This particular policy is only for the Exchange machine.

Thanks,

Julian

apoling
Level 14
Report Inappropriate Content
Message 6 of 11

Re: How to suppress threat log entries?

Hi Julian,

"simply" by looking at the AccessProtectionLog.txt on the Exchange server when you made an attempt to send an email using that server. It then should indicate the process name that was blocked.

Then this process name should be added to the exclusion list of the Access Protection rule in the virusscan policy that applies to this Exchange server and that's it. Next time that process is allowed to access port 25.

(just between parentheses: I'm surprised to hear that a process like that is not automatically included in the factory VSE package)

Attila

Re: How to suppress threat log entries?

Thanks, that will be edgetransport.exe then. It is starnge that other exclusions already exist but that one does not.

I will try this and see what happens.

Regards,

Julian

Highlighted
alexn
Level 14
Report Inappropriate Content
Message 8 of 11

Re: How to suppress threat log entries?

Julian,

Attila is 100% right here, Exclude the process Not the rule.And if you could possible let me know your OS version and Exchange version, I will some recommended exclusion as well.,

Regds

Alxn

Re: How to suppress threat log entries?

Alxn,

Atilla's soultion is working - many thanks!

I am running Exchange 2007 on a Windows Server 2003 R2 machine. I have found the recomended exclusions but they didnt help with this one!

Regards,

Julian

alexn
Level 14
Report Inappropriate Content
Message 10 of 11

Re: How to suppress threat log entries?

Great!  Julian!!You got the solution.

But  Recommended exclusion must be made to increase the performance and to prevent files to be currupted.

I would example, let's say if Exchange is processing any file and mean while OAS comes and locked the file for scanning then that file will be currupted and can cause serious issues to exchange server, SO I would suggest you to apply the recommended exclusions as well.

Regards

Alexn

Message was edited by: alexn on 4/11/13 8:42:23 AM CDT
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community