Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

virus access-list help

Hello all,

I have an access-list that is denying any access to eq 445. Someone had set this list up before I was here, and I assume it's for some Blaster varient or something.

The problem is one of the System guys says it's a legit service, something to do with Active Directory.

When I do "sh logging" I see thousands of hits where it deny's one packet at a time from port 445 to misc IP addresses.

I do "sh access-list" and the deny 445 entry has millions of hits.

We do a network wide Symantec update and scan and find nothing.

Should I disable this 445 entry? Is it a legit service?

Thanx for any help

1 ACCEPTED SOLUTION

Accepted Solutions

Re: virus access-list help

Hello,

Port 445 is SMB over tcp or commonly referred to now by Microsoft a CIFS (Common Internet File System). This is vallid traffic so internally between sites that transfer files you should not be blocking this traffic but from external nets by all means this should be blocked.

HTH please rate any posts that were helpful.

Patrick Laidlaw

2 REPLIES

Re: virus access-list help

Hello,

Port 445 is SMB over tcp or commonly referred to now by Microsoft a CIFS (Common Internet File System). This is vallid traffic so internally between sites that transfer files you should not be blocking this traffic but from external nets by all means this should be blocked.

HTH please rate any posts that were helpful.

Patrick Laidlaw

Bronze

Re: virus access-list help

Hi,

this port was meant to be blocked with regard to the W.32 Blaster Worm. The entire access list needs to be like the one below, and be applied inbound and outbound on the externally facing interface:

-->block TFTP

access-list 115 deny udp any any eq 69

-->block W32.Blaster related protocols

access-list 115 deny tcp any any eq 135

access-list 115 deny udp any any eq 135

-->block other vulnerable MS protocols

access-list 115 deny udp any any eq 137

access-list 115 deny udp any any eq 138

access-list 115 deny tcp any any eq 139

access-list 115 deny udp any any eq 139

access-list 115 deny tcp any any eq 445

access-list 115 deny tcp any any eq 593

-->block remote access due to W32.Blaster

access-list 115 deny tcp any any eq 4444

-->Allow all other traffic

access-list 115 permit ip any any

interface

description external interface

ip access-group 115 in

ip access-group 115 out

Check the Security notice for the W.32 Blaster:

Cisco Security Notice: Cisco Security Notice: W32.BLASTER Worm Mitigation Recommendations

http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.pdf

Regards,

Nethelper

244
Views
5
Helpful
2
Replies
CreatePlease to create content