1 of 1 people found this helpful
1. I'm not entirely sure. A network trace would have to be analyzed to determine this. edit: Please open a McAfee Service Request if you need additional assistance with this.
2. You can remove the IE application from the firewall rule, which would apply the rule to all applications (but still limited to the other criteria; port 80/443), including the SYSTEM account (which is typically why you see no application in the firewall rule event; the traffic was ran through PID 0, instead of the iexplore.exe PID).
Thank you for the response. I should've thought about using a sniffer.
I did just that and used my firefox session to pandora to test. Sure enough, I see blocked traffic in the activity log that the sniffer shows to be retransmit traffic .
I'm not sure how to allow retransmit traffic while still limiting outbound traffic to known/authorized apps running from approved locations.
[Edit]: Does anyone know how to permit retransmit traffic that shows up a a blank entry under the "application" column? I can't just say permit all 80/443 because Trojans, etc use these ports too.
This is not restricted to just browser traffic. Any retransmit by the transport layer will be affected.
Thank you for the help
If I remove the application criteria and restrict only to authorized ports, How do I then prevent malware from using those ports? Shouldn't McAfee at least account for PID 0 performing retransmit?