After taking a peak at some McAfee’s logs I decided to try mucking about with some of the Access Protection functionality, specifically IRC communication. I noticed there were a number of useful entries that could be sent to log or even block attempts and said settings are not enabled by default (see end of post). A test environment was setup using a IRC daemon on Remnux and a Nmap plug-in called irc-info.nse. An initial baseline scan/connect is made to confirm that a service does reside on the virtual guest.
The host indeed has a IRC server running. We do not want our host communicating with IRC daemons so we can leverage McAfee to help us block this attempt. First, open up the Auto Protect settings in the VirusScan console.
Next, “Prevent IRC communication” was enabled as this hosts processes should not be making outgoing requests. If there were such requests from a process it could be indicative of malicious software contacting a C&C.
Now the policy is being enforced, we again test the ability to connect the remote hosts IRC service.
Nmap is able to elicit responses from the host but is unable to complete a connection to interact with the IRC server. The last screen shot depicts log entries; a reporting, and a blocking and reporting entry.
Be cautious of shunning all processes for a specific check as some applications may inadvertently use a port that a malicious process would typically use. Instead, consider white-listing those or one selecting known evil.