3 Replies Latest reply on Jul 2, 2010 5:50 AM by Attila Polinger

    find the mass email rule violator

      I have a machine reporting a mass email but is not reporting the process  name. Anyone have an idea how to 'find' the process name?

       

      VS: 8.7i P2 on Server 2003

        • 1. Re: find the mass email rule violator
          tonyb99

          Has it triggered the port 25 access protection rule? is there nothing at all in the logfile for access protection relating to the event?

          • 2. Re: find the mass email rule violator

            the log shows that it is detecting and block it, that is how I know it is happening, but it does not say Randomprogram.exe is blocked etc....

             

            I opened a case with McAfee and they have about 100 steps that I need to do to see if the system is infected, which is their diagnosis.

            • 3. Re: find the mass email rule violator
              Attila Polinger

              Sometimes it is not possible for VirusScan to query the offending process name, as we found out with certain clever trojans, that use lower level NIC operation than usual and Virusscan only senses port usage but gets no process etc. details, whatsoever.

               

              Another example is the rogue system sensor, which when doing a port scan, does it on low level so if you'd set up a VirusScan AP rule to check for ports it targets, you'd get no process name...

               

              I think this is what you are facing.

               

              Attila