McAfee and SMTP Traffic

I've been chasing after an issue with a new Exchange deployment not sending any outbound mail. When you telnet to port 25 on any SMTP server it just fails straight away as if there's a firewall or something in between. I finally got a network trace and the very odd thing was that there was absolutely no network traffic at all. Usually you would see a bunch of TCP SYNs if there was a firewall in the mix.

I noticed that McAfee's little shield in the tray was bright red which it does when it as something to say. The log had these nice entries (well a lot of them) in it:

6/29/2009    11:39:13 AM    Blocked by port blocking rule     C:\Exchange\Bin\edgetransport.exe    Anti-virus Standard Protection:Prevent mass mailing worms from sending mail    10.100.10.16:25

6/29/2009    11:40:46 AM    Blocked by port blocking rule     C:\Windows\system32\telnet.exe    Anti-virus Standard Protection:Prevent mass mailing worms from sending mail    10.100.10.15:25

You can see Exchange trying to relay mail (the Edge Transport process) and me trying to test it by hand (telnet). Apparently McAfee has kindly inserted itself into the network stack somewhere and is intercepting these connections before they even leave the box.

In order to turn this off, you need to go in ePO and edit the Access Protection policy which applies to your servers. Inside the policy, go to Anti-virus Standard Protection and uncheck both boxes for Prevent mass mailing worms from sending mail:

Don't forget to do this for both the "Server" and "Workstation" policies (or just the server one).

Posted Monday, June 29 2009 2:07 PM by Brian Desmond | 3 Comments
Tagged as: , ,

Comments, Trackbacks, & Pingbacks

#1 re: McAfee and SMTP Traffic

Monday, June 29 2009 3:04 PM by Andy Parkes

This has actually been in McAfee products for years. I remember the first time I ran into though and spent ages trying to figure it and getting increasingly frustrated - i feel your pain ;-)

#2 re: McAfee and SMTP Traffic

Monday, June 29 2009 5:28 PM by Christian

i would recommend another configuration. with the described settings you allow any process to send smtp-packets.

in your low-risk / high-risk processes policy you can also exclude the exchange processes (here edgetransport.exe) from being scanned. then the access protection setting won't stop exchange from sending mail but will stop "spammailer.exe" from doing so.

there are also recommendations from mcafee (kc.mcafee.com) on how to configure the policies for vse 8.5 or 8.7. a lot of exclusions should be configured to have your exchange-setup also supported by mcafee.

#3 re: McAfee and SMTP Traffic

June 29, 2009 3:35 PM by McAfee and SMTP Traffic | Real Rumors

Pingback from McAfee and SMTP Traffic | Real Rumors

Leave a comment