8 Replies Latest reply on Dec 31, 2015 9:20 AM by Regis

    McAfee blocking email on port 25

    techguy007

      Dear All,

       

      This is my first post in McAfee community,hope to get some good advice and solution from experts out here

       

      We are running exchange server 2013 with McAfee Anti virus installed on all the exchange servers,we have lot of printers which connects to Exchange server to relay email on behalf of the exchange server i.e scan to mail.

       

      i have found that scan to mail does not work,from exchange side all the configuration are OK still it does not work,i doubt if Mcafee is blocking it.because recently i have see the below on the access protection logs on my exchange server.

       

      12/29/201512:02:43 PMBlocked by port blocking ruleE:\Exchange Files\Bin\MSExchangeHMWorker.exeAnti-virus Standard Protection:Prevent mass mailing worms from sending mail127.0.0.1:587
      12/29/201512:06:41 PMBlocked by port blocking ruleE:\Exchange Files\Bin\MSExchangeHMWorker.exeAnti-virus Standard Protection:Prevent mass mailing worms from sending mail127.0.0.1:25
      12/29/201512:07:43 PMBlocked by port blocking ruleE:\Exchange Files\Bin\MSExchangeHMWorker.exeAnti-virus Standard Protection:Prevent mass mailing worms from sending mail127.0.0.1:587
      12/29/201512:11:41 PMBlocked by port blocking ruleE:\Exchange Files\Bin\MSExchangeHMWorker.exeAnti-virus Standard Protection:Prevent mass mailing worms from sending mail127.0.0.1:25
      12/29/201512:12:43 PMBlocked by port blocking ruleE:\Exchange Files\Bin\MSExchangeHMWorker.exeAnti-virus Standard Protection:Prevent mass mailing worms from sending mail127.0.0.1:587
      12/29/201512:15:06 PMBlocked by port blocking ruleE:\Exchange Files\Bin\MSExchangeFrontendTransport.exeAnti-virus Standard Protection:Prevent mass mailing worms from sending mail10.20.36.30:25
      12/29/201512:16:11 PMBlocked by port blocking ruleE:\Exchange Files\Bin\MSExchangeHMWorker.exeAnti-virus Standard Protection:Prevent mass mailing worms from sending mail127.0.0.1:25
      12/29/201512:18:33 PMBlocked by port blocking ruleE:\Exchange Files\Bin\MSExchangeHMWorker.exeAnti-virus Standard Protection:Prevent mass mailing worms from sending mail127.0.0.1:25
      12/29/201512:19:51 PMBlocked by port blocking ruleE:\Exchange Files\Bin\MSExchangeHMWorker.exeAnti-virus Standard Protection:Prevent mass mailing worms from sending mail127.0.0.1:25
      12/29/201512:20:55 PMBlocked by port blocking ruleE:\Exchange Files\Bin\MSExchangeHMWorker.exeAnti-virus Standard Protection:Prevent mass mailing worms from sending mail127.0.0.1:587
        • 1. Re: McAfee blocking email on port 25
          georgec

          You'll find the rule named "Anti-virus Standard Protection:Prevent mass mailing worms from sending mail" under Access protection. You can either disable the rule, or add the "E:\Exchange Files\Bin\MSExchangeHMWorker.exe" process as an exception, depending on your needs. If the AV is managed centrally you'll have to make the changes on the epo server.

          • 2. Re: McAfee blocking email on port 25
            techguy007

            yes we are managing it centrally ,i can find the first option on access protection,how do i get this option in epo.

            i mean where to find this option in epo?

            • 3. Re: McAfee blocking email on port 25
              davidp64

              Hi techguy,

              According to  the logs in access protection: Anti-virus Standard Protection:Prevent mass mailing worms from sending mail..

              uncheck from the rule with report and check whether it is working fine or not..

               

              Recommend you first test and then move forward for deployment.

               

              Thanks

              • 4. Re: McAfee blocking email on port 25
                techguy007

                Dear David,

                 

                after unchecking both block and report the emails are working fine.

                • 5. Re: McAfee blocking email on port 25
                  techguy007

                  Dear George/David,

                   

                  after removing both the check mark, the check mark comes back again automatically and again the emails stop, how do I permanently remove the check mark.

                   

                  • 6. Re: McAfee blocking email on port 25
                    tomz2

                    You need to work with whomever manages your ePO which is what centrally manages VSE policies and ask them to configure a policy for the Exchange servers that has the Mass Mailing Worms AP rule shut off.

                     

                    If that person is you, then I'd recommend building a policy for the Exchange servers and use a policy assignment rule to assign them to the servers. A PAR uses a tag that is then associated with a policy. For example, you'd build a tag called "Exchange servers", build a policy called "VSE AP Exchange", and then build a PAR that says if the system has the "Exchange servers" tag, apply the "VSE AP Exchange" policy.

                    • 7. Re: McAfee blocking email on port 25
                      davidp64

                      Hi techguy,

                       

                      Do same from ePO and assign that policy to that server..

                       

                      Thanks

                      • 8. Re: McAfee blocking email on port 25
                        Regis

                        Hi TechGuy,

                         

                        Machines managed by an ePolicy Orchestrator agent (as most are in corporate environments since ePO is so gangster for managability..and you'll know if a machine is managed if you see McAfee Agent installed on it), McAfee has a notion of a policy enforcement interval in which policies for various things get reapplied every few minutes.     This prevents local administrators from changing important settings or turning things off too easily.   All locally twiddleable settings generally have ePO policies associated with them that the ePO administrator can modify.

                         

                        Two options for the ePO administrator:  a) turn that mass mailing protection off  in a VSE Anti-virus standard protectionthat gets applied to that machine somehow (a policy assignment rule is a nifty way to do it with ePO tags wherein a "MassMailingOK" tag is applied to the machine and a policy assignemnt rule maps that to a fork of the VSE policy that unchecks that protection),   or ... what I see a lot of too is to add E:\Exchange Files\Bin\MSExchangeFrontendTransport.exe and E:\Exchange Files\Bin\MSExchangeHMWorker.exe     (or a suitable wildcard)  to the exception list for processes that exists for that rule in the usual VSE Anti-virus standard protection policy.