1 2 Previous Next 10 Replies Latest reply on Apr 12, 2013 12:22 AM by Attila Polinger

    How to suppress threat log entries?

    julian.floyd

      Hi,

      I am running EPO 4.6.2.

      I have managed to configure EPO and VSE to allow Exchange to send emails but now my threat log is filling up with "Mass Mailing" threat messages  with the description of "Port blocking rule violation detected and NOT blocked". How to I stop these items appearing in the threat log?

      There are similar un-enforced rules such as exe files running from the temp folder that also could do with the items not being logged.

      I am missing important log items due to the volume of these messages.

      Any suggestions please?

      Thanks,

      Julian

        • 1. Re: How to suppress threat log entries?

          Hi Julian,

           

          U can untick the check mark of report.

           

          Accessprotection Properties-->Anti-Virus Standard Protection-->Prevent Mass mailing worms from sending mail

           

          Hope this will helps you  :-)

          • 2. Re: How to suppress threat log entries?
            julian.floyd

            Many thanks, I will give that a go.

            I have been hunting through the manual for that and could not find it.

            Regards,

            Julian

            • 3. Re: How to suppress threat log entries?
              Attila Polinger

              Hi,

               

              I'd definitely not do that but rather made sure which process is sending mails on port 25 and I'd put it on the exclusion list of the given rule, if necessary, which makes the entries go away for that partiticular process. To the contrary, I'd enable block and report for this rule and make just exclusions if necessary.

               

              If you disable reporting you will never know of any malware sending spam from your client.

               

              On the other hand please go thorugh the Access Protection policy for your clients and change to "block and report" any report-only rule.

              It is not meaningful to use report-only rules in production (as opposed to testing a rule) just as to use block-only rules.

               

              It is a different thing to decide which rules to use at all, but I recommend never use single action rule in production, only both actions.

               

              Attila

              • 4. Re: How to suppress threat log entries?
                julian.floyd

                Hi Attila,

                I see the logic in that but how do I set an exclusion to allow the Exchange server to send correct emails if I keep the mass mailing worm rule?

                This particular policy is only for the Exchange machine.

                Thanks,

                Julian

                • 5. Re: How to suppress threat log entries?
                  Attila Polinger

                  Hi Julian,

                   

                  "simply" by looking at the AccessProtectionLog.txt on the Exchange server when you made an attempt to send an email using that server. It then should indicate the process name that was blocked.

                  Then this process name should be added to the exclusion list of the Access Protection rule in the virusscan policy that applies to this Exchange server and that's it. Next time that process is allowed to access port 25.

                   

                  (just between parentheses: I'm surprised to hear that a process like that is not automatically included in the factory VSE package)

                   

                  Attila

                  • 6. Re: How to suppress threat log entries?
                    julian.floyd

                    Thanks, that will be edgetransport.exe then. It is starnge that other exclusions already exist but that one does not.

                    I will try this and see what happens.

                    Regards,

                    Julian

                    • 7. Re: How to suppress threat log entries?
                      alexn

                      Julian,

                       

                      Attila is 100% right here, Exclude the process Not the rule.And if you could possible let me know your OS version and Exchange version, I will some recommended exclusion as well.,

                       

                      Regds

                       

                      Alxn

                      • 8. Re: How to suppress threat log entries?
                        julian.floyd

                        Alxn,

                        Atilla's soultion is working - many thanks!

                        I am running Exchange 2007 on a Windows Server 2003 R2 machine. I have found the recomended exclusions but they didnt help with this one!

                        Regards,

                        Julian

                        • 9. Re: How to suppress threat log entries?
                          alexn

                          Great!  Julian!!You got the solution.

                           

                          But  Recommended exclusion must be made to increase the performance and to prevent files to be currupted.

                           

                          I would example, let's say if Exchange is processing any file and mean while OAS comes and locked the file for scanning then that file will be currupted and can cause serious issues to exchange server, SO I would suggest you to apply the recommended exclusions as well.

                           

                          Regards

                           

                          Alexn

                           

                          Message was edited by: alexn on 4/11/13 8:42:23 AM CDT
                          1 2 Previous Next