Email Problems with McAfee 8 Enterprise

Prepared by Ian Matthews May 24, 2005

After dealing with several odd problems that have been caused by the seriously enhanced security provided by McAfee version 8 I thought I should document the solution.

Problem 1: Can not send email from servers Backup Software called Vital Vault
Problem 2: Can not email information from forms on FPSE2002 extended IIS6 server
Problem 3: Can not send email from a CRM product called GoldMine
Problem 4: Can not telnet to a mail server on port 25 (i.e. telnet mail.telus.com 25)

The solution for all of these issues was to add exceptions to the ON SCAN ACCESS function in McAfee 8.  You can do this through the desktop interface if you have permission, by:

  1. right clicking on the McAfee 8 shield in the “notification area” (near your PC’s clock) and selecting VIRUS SCAN CONSOLE

    Mcafee 8 Exceptions
    Mcafee 8 Exceptions
  2. double click the ACCESS PROTECTION entry
  3. on the PORT BLOCKING tab, click PREVENT MASS MAILING WORMS FROM SENDING MAIL, and click the EDIT button
  4. add in the names of the executables that are trying to connect on port 25 (i.e. SMTP outbound email port) for example, gmw.exe, telnet.exe, w3wp.exe, vv.exe

 

If you are using McAfee ePolicy Orchestrator, you can make the same change to all machines by:

  1. signing into your ePO server

    McAfee - Servers
    McAfee - Servers
  2. locate the folder you want to apply the exceptions to (or a particular machine) and click ACCESS PROTECTION POLICIES
  3. make certain you select SERVER or WORKSTATION (McAfee does know what each machines Operating System is and if you machine changes to the WORKSTATION settings and your machines are server, the changes will NOT have any effect)
  4. uncheck INHERIT
  5. select PREVENT MASS MAILING WORMS FROM SENDING MAIL, and click the EDIT button
  6. add in the names of the executables that are trying to connect on port 25 (i.e. SMTP outbound email port) for example, gmw.exe, telnet.exe, w3wp.exe, vv.exe. 

You should add whatever you applications you are having trouble with but so far I have added the following (among others):

w3wp.exe is from Internet Information Services
gmw.exe is GoldMine
telnet.exe is telnet (very handy in trouble shooting mail servers)
vv.exe is Vital Vault backup software

If you are unsure what is being blocked, just start the Virusscan console, click FILE, and VIEW LOG.  You should be readily able to figure out what you need:

5/24/2005 11:26:46 AM Blocked by port blocking rule telnet.exe Prevent mass mailing worms from sending mail

You have to wonder how long it will take for virus writers to simply create executables with the name of one of the default excluded programs (like outlook.exe)

Questions or Comments?