5 Replies Latest reply on Dec 10, 2009 6:15 AM by Bestpractice

    "Prevent IRC Communication" Port Blocking Rule

    markw72
      Hello,

      Wondering whether anyone could give me some advice. We currently use VSE 8.0i and since we've turned on the Notification option to give us better alerting (we were previously using Alert Manager), we've noticed that a number of our client machines and servers randomly report that the access protection rule which blocks IRC traffic on ports 6666-6669 (both inbound and outbound) have been triggered.

      Now I know that none of our machines are setup to use IRC so it's obviously a bit suspicious and a little worrying. We first saw instances in the logs of our DNS servers, where our mail relay's were trying to perform DNS queries from them. The DNS servers are running VSE 8.0i and they would report that a connection from the mail relay to the DNS server would be blocked by this rule. This makes me think that this is affecting outgoing e-mail intermittently especially if an attempt is made by the mail relay to resolve a domain and it fails because the DNS server drops the packet.

      We've also seen this rule triggered on client machines, usually indicating the OUTLOOK.EXE process was involved when it was talking to our internal mail server. Other processes we have seen mentioned in the Access Protection log file on servers are DNS.EXE, LSASS.EXE, INETINFO.EXE, SVCHOST.EXE and SNMP.EXE.

      I've virus checked the machines which report the blocks but it finds nothing.

      I looked through this forum a couple of weeks ago and someone had reported experiencing the similar problem a couple of months ago. One suggestion was that it could be that there isn't any IRC specific traffic but that the source port number on these machines could be randomly in the range 6666-6669 depending on what they are trying to communicate with at the other end (I guess anything!).

      I know that I could add the names of the processes to the exception list for the IRC rule (like DNS.EXE) but I was just wondering if anyone else has experienced the same issue and could give me some advice on what they've done.

      I apologise if I haven't explained this very well !!

      Thanks

      Mark
        • 1. Seen the same.
          bhjelt
          Hi. I have noticed the same issue in my computer lately, and so far I have not found any reports on this through googling a bit.

          It seems that svchost.exe is trying to connect on two ports to 6666 in my nearest GW machine. Since my all-knowing administrators have disabled the ability for me to control the internal firewall, I cannot even disallow the connections. I really don't like processing opening ports all by them selves, paritcularly not on the IRC port.

          Did you find anything on this yet?

          Björn
          • 2. UPnP related
            bhjelt
            I believe I have found the cause for this. Using "tasklist /SVC" I checked the users of the svchost.exe PID that made the calls to 6666, and they were LmHosts, RemoteRegistry and SSDPSRV. SSDPSRV is the service that "Enables discovery of UPnP devices on your home network." When I disabled the SSDPSRV service, the requests stopped, so I guess that the requests were caused by some UPnP service in my router triggering some functions in Windows.

            So I guess that the traffic is OK per se, but since I generally dislike anything automatic, communicating for itself and setting up things I have no control over, I will leave the UPnP service off, until I find some real need for it.

            Hope this helps you too.

            Björn
            • 3. McAfee Blocks Media Sharing to XBOX360
              This could also be due to Windows Media Player Sharing to an XBOX360 - I have been troubleshooting this problem for months and have not been able to figure out why I could not get the XBOX360 to see the WMP11 content. I added wmplayer.exe to the excluded list, and it solved the issue.

              1. Right Click on McAfee Icon
              2. Click "VirusScan Console..."
              3. Double-Click "Access Protection" (Top option, should be Enabled)
              4. Select "Prevent IRC communication" in the right-hand pane
              5. Click "Edit"
              6. In the "Processes to exclude:" field type w/o quotes: "wmplayer.exe"
              7. Click "OK"
              8. Click "Apply"
              9. Click "OK"

              Note that the WMP will still need the firewall ports opened to allow the communication.
              • 5. Re: "Prevent IRC Communication" Port Blocking Rule

                We had a similar issue but unfortunately ours wasn't in report only mode and blocked access to outlook for a complete site. If exchange decides to use a port such as 6668 to communicate on mcafee will block it. It is possible to limit which ports exchange can use by editing the registry but the chances of it happening are pretty slim. Im pretty sure any applications which use RPC ports can cause issues.