×
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
MikePorritt
Contributor
Message 1 of 11

Automatically Creating Blocking Rules

I noticed that my home PC was being bombarded with remote desktop logon attempts .. over 20,000 in one 24 hour period. 

This did not seem to trigger any protective action by McAfee or Windows so I wrote a Windows Powershell script that is triggered by the windows failed logon event.  The script extracts the IP address of the invader and creates a windows firewall rule to block that IP address.   Other forum comments let me believe the Windows rules would be effective on a system running McAfees firewall. In practice the new rules are ignored, even when the McAfees firewall is turned off. 

To test I start a remote desktop session from an external IP and deliberately used incorrect sign on .... The logon failure is detected and the firewall rule is created to block further access from that IP but further attempts to logon (with both with incorrect and correct  signon) details are processed as if the rule does not exist.  

Any insight into my problem or advice that an equivalent McAfee blocking rule can be created programmatically would be much appreciated.

10 Replies
Former Member
Not applicable
Message 2 of 11

Re: Automatically Creating Blocking Rules

Hello @MikePorritt ,

Sorry for the inconvenience caused.

What is the version of the McAfee software installed on the computer,you can check it in My info->About.

Also, it if it is related to Remote PC login try enabling port 135 under system service in McAfee Firewall.

Please let us know the outcome so that we can assist you better.

Regards

Srinivasa Ragavan

MikePorritt
Contributor
Message 3 of 11

Re: Automatically Creating Blocking Rules

Hello @SrinivasaRagavan,

My McAfee software is LiveSafe version 16.

The issue does not have anything to do with port 135.

As per my posting my problem relates to large numbers of attempts to log onto (ie take control of) my pc using Microsoft's remote desktop protocol (RDP) which normally communicated via port 3389.  In my case I use a diffent port number in an attempt to be less visible to this sort of attack. 

I also delete port 3389 from McAfee but iMcAfee periodically recreates and activates the port 3389 definition which and makes my system visible to people scanning for port 3389 so I am not very happy about that but can live with it.

When I raised this issue I had been led to believe McAfees would support Windows Defender blocking rules but it now seems McAfees disables Windows Defender firewall completely.  Even when McAfees  firewall is disabled Windows Defender remains inactive.

This means my Windows Powershell code to detect and block these attacks  cannot work in its current form because the blocking rules it creates are ignored because Windows Defender is disabled and McAfees Firewall does not use them.

So my question remains ... is there a programmable interface that will allow me to dynamically insert BLOCK rules for specific external IP addresses into McAfees firewall rules.

Thanks Mike

 

Bharani_BD
McAfee Retired
McAfee Retired
Message 4 of 11

Re: Automatically Creating Blocking Rules

hi @MikePorritt 

Please follow this article and let us know if the issue persists.

 

Thanks and Regards

Bharani S

 

MikePorritt
Contributor
Message 5 of 11

Re: Automatically Creating Blocking Rules

Hello Bharani S,

I have looked at the article you suggested "How to open a port in Personal Firewall" and found it is not related to my question.  The article outlines a basic process that is fundamental to port management through a firewall.  Is it possible you have linked the wrong article to your response ?

My question remains as originally stated but I will try to clarify again.

1.  I detected that my system was being attacked by somebody making repeated attempts to log onti it using microsoft remote Desktop protocol(RDP).

2. I wrote a Windows powershell script to detect these intrusions and the  network address of the attacker (their IP number).

3. My aim is to block  the intruder by generating a blocking rule for the IP address each time an attack occurs.  

4. I can achieve this when using the basic windows firewall as such rules can be created using powershell commands.

5. Does McAfee provide a programmable method to create equivalent functionality using the McAfee firewall ??

Former Member
Not applicable
Message 6 of 11

Re: Automatically Creating Blocking Rules

Hello @MikePorritt ,

Kindly let us know whether the impacted PC has been used for work purposes as well . Please enable Port number 3389 from ports and system services under McAfee firewall and select PC's work and home networks only under open port to. Also please enable the option Use intrusion protection under intrusion detection on McAfee firewall. And  let us know if the issue still persist.

Regards

Srinivasa Ragavan

 

MikePorritt
Contributor
Message 7 of 11

Re: Automatically Creating Blocking Rules

Hello Again,

I already have the Mcafee intrusion detection enabled.

Review of the windows event logs shows that remote desktop attacks proceed without any sign of detection or prevention by Mcafee.  In one attack I could see in the event logs that many thousands of logons were attempted with each attempt using a different logonid/password combination.

I do not use 3389 as the RDP port as an extra means of avoiding these attacks.  I have configured Windows to use a port of my own choosing.  That the attacker has to work much harder to find my special RDP port before an attack can even start.

I need RDP to work from anyware not just within my home network so the Mcafee firewall rule I have for my RDP port already reflects that requirement.

Once again my question remains "Can I interact with the Mcafee firewall from my program to block problem IP numbers?????"... If so I can detect and block these attacks.

Please answer this question with YES or NO.

Thanks, Mike

Bharani_BD
McAfee Retired
McAfee Retired
Message 8 of 11

Re: Automatically Creating Blocking Rules

Hi @MikePorritt 

We are sorry for the inconvenience, you can block certain IP's by clicking the firewall options>>my network connections>>Click on add>>network type and select blocked. under the blocked section add the external IP's that you wish to block. 

 

Thanks

Bharani S

 

MikePorritt
Contributor
Message 9 of 11

Re: Automatically Creating Blocking Rules

Hi.

My question remains:

"Can I interact with the Mcafee firewall from my program to block problem IP numbers?????"

The essential part of the question is "FROM MY PROGRAM".

Instructions on how to set up a blocking rule using the screen and keyboard interface are NOT an answer to this question.  

As outlined in earlier messages in this thread my aim is to automatically detect, identify and block RDP intruders.   Please advise if Mcafee has any API capability to let me create Mcafee blocking rules from my program.  

Please discuss this question with your technical support .
I am sure they will understand my question and advise accordingly.

Thanks, Mike

bms231
Contributor
Message 10 of 11

Re: Automatically Creating Blocking Rules

Wow man sorry to see McAfee's support is just as terrible as Kaspersky. I recently had the same problem. Got hit 16,144 times in 1 hour by russian RDP attackers. Went right through my router FW (asus) and Kaspersky. I suspect when you enable port forwarding they just let the traffic through and don't monitor what is coming through the port or how many times. Truly a pity. Guess based on this post I won't be making the switch.

How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community