9 Replies Latest reply on Jun 7, 2016 11:41 AM by youngs

    Allow Rule for Executable Blocked by Default Block-All Rule




      This is my first post.  I have no training in McAfee products and using ePO to manage HIPs, DLP, A/V and firewalls (FWs).  I can deploy agents, encrypt drives, use DLP to block or allow devices.

      Not versed on HIPs and FW.  The ePO server was setup by another admin in a remote location.  I have asked for help, but he washed his hands of setup questions.  Another more experienced local admin is confused by our issue, because it worked for another set of allowed applications/executables.


      I'm in a tough spot were I need to allow two executables to pass through the McAfee client firewall.  The client computer is making the request, but the server answers through a DCOM process where the port above 1023 is random.  This all takes place inside our network by developers and testers.  It does not go out to the internet.


      The request is allowed out as shown in the logs.

      The response is blocked and are exactly the executables that were allowed, punctuated by the reason: Block All Traffic.

      I moved the allow rule to the top of the list, but still superseded by the Block All rule.





      Navigator Server Executables



      Log matching traffic

      Media:All types (Wired,Wireless,Virtual)
      Protocol:All Protocols/Any
      Local networks
      Remote networks
      Local service:
      Remote service:
      NameFile nameFingerprintFile descriptionSigner
      Executable Rule
      Timed group setting:
      Off-hours action:undefined

      Navigator server components (including RemoteOverride and Poster) making DCOM callback to the workstation. The needed port to open is dynamically determined by DCOM system. Our components do not specify the port.

      Last modified:By vdinenna on 5/18/2016 4:08:57 PM






      Sample of Blocks


      Time:       5/16/2016 2:04:37 PM

      Event:      Traffic

      IP Address/User:       xxx.xxx.xxx.xxx

      Description:             PosterCallBack Module (PosterCallBack.exe)

      Path:        C:\Program Files (x86)\USERS\DSComponentSuite\DCOM\PosterCallBack.exe

      Message:  Blocked Incoming TCP -  Source xxx.xxx.xxx.xxx :  (62190)  Destination xxx.xxx.xxx.xxx :  (52980)

      Matched Rule:         Block All Traffic



      Time:       5/16/2016 2:03:03 PM

      Event:      Traffic

      IP Address/User:

      Description:             RemoteOverrideMM Module (RemoteOverrideMM.exe)

      Path:        C:\Program Files (x86)\USERS\DSComponentSuite\DCOM\RemoteOverrideMM.exe

      Message:  Blocked Incoming TCP -  Source xxx.xxx.xxx.xxx :  (62174)  Destination xxx.xxx.xxx.xxx :  (52968)

      Matched Rule:         Block All Traffic








      Agent information on local system.


      System Information

      Computer Name: xxxxxxxx


      McAfee Host Intrusion Prevention

      Version number: 8.0

      Build date: Wednesday, June 10, 2015

      Build Number:

      License Type: Licensed

      Expiration Date

      Language: Automatic

      Security Content Version:

      Security Content Created On: Tuesday, May 03, 2016

      Patch: 6



      McAfee Agent

      Version number:


      Last security update check: 5/25/2016 1:23:50 PM

      Last agent-to-server communication: 5/26/2016 9:34:30 AM

      Agent to Server Communication Interval (every): 1 hour

      Policy Enforcement Interval (every): 5 minutes

      Agent ID: {F6EE12A1-A359-xxxxx-xxxxx-A1D04546EC34}

      ePO Server/Agent Handler

      DNS Name: xxxxxxxx

      IP Address: xxxxxxxx

      Port Number: 443



      McAfee DLP Endpoint

      Version number:

      Language: English (United States)



      McAfee Endpoint Encryption Agent

      Version number:

      Language: Multiple



      McAfee File and Removable Media Protection

      Version number:

      Language: Multiple



      Endpoint Encryption for PC

      Version number:



      McAfee VirusScan Enterprise + AntiSpyware Enterprise

      Version number: 8.8.0 (

      Build date: 2/12/2016


      Anti-virus License Type: licensed


      Scan engine version (32-bit): 5800.7501


      Scan engine version (64-bit): 5800.7501


      DAT version: 8175.0000

      DAT Created on: 5/24/2016


      Number of Signatures in extra.dat: 0

      Name of threats that extra.dat can detect: None

      Buffer Overflow and Access Protection DAT version: 739


      Installed Patches: 7