3 Replies Latest reply on Oct 21, 2016 7:59 PM by catdaddy

    Anti-virus Standard Protection:Prevent mass mailing worms from sending mail

    yorkman

      I'm running McAfee VirusScan v8 on a windows server which runs MS Exchange and Xeams for anti-spam protection. Everything is working properly. I can send/receive emails and spam is getting blocked. Xeams filters spam and legitimate emails are then relayed to my Exchange server which is running on the same server.

       

      Now, why am I still seeing entries like:

       

      10/20/2016    10:47:15 PM    Blocked by port blocking rule     D:\Xeams\Xeams.exe    Anti-virus Standard Protection:Prevent mass mailing worms from sending mail    192.168.1.101:25

       

      First, neither Xeams nor Exchange has any services running on port 25. Why is McAfee telling me that Xeams.exe is blocked to 192.168.1.101 on port 25 when there's no services on such a port? I can confirm with netstat that nothing is listening on port 25 on 192.168.1.101. It doesn't appear to affect anything since everything is working normally but I see this about 3 times per hour and I'm unable to figure out why. I have edgetransport.exe in my exclude list in the McAfee Virus Scan rule. Xeams.exe isn't in the exclude list yet it's able to relay emails to the exchange server running on the same server just fine...still, I see the blocked by port rule in the Access Protection log as if to suggest that sometimes it's blocking connections and other times it's not.

       

      I have already run a full scan for viruses/malware using McAfee Virus Scan, Kaspersky and Malware Bytes. Nothing found.

       

      Second, am I correct in understanding the log entry? That Xeams.exe is trying to send to 192.168.1.101 port 25, or is it perhaps that something else is trying to connect to 192.168.1.101 via port 25 to Xeams.exe?

       

      Either way, what else can I do to try to determine what and why something is trying to connect to this port since there's absolutely nothing running on port 25. I can't telnet to it either and netstat doesn't showing anything coming in or out on port 25. So where is this coming from?