We block port 25 except for a few extra programs that are default.
We had a case where someone setup a server and it tried to send email. They didn't know the name of the binary that sent email. But when they disabled access protection the email got sent. It appears that port 25 was getting blocked and NOT logged but even though we have report turned on in access protection for the Standard Protection and User defined -> prevent mass mailing of worms.. the email blocking was not logged.
Other events are getting logged to the on access log.
Anyone know of access protection logging issues? This is 32 bit Windows 2003 with VirusScan 8.7.