McAfee causes logs to fill

[BGood]

My work computer is logging 4 or so times per minute something like this:
Mar 18 14:05:05 dnsmasq[1692]: possible DNS-rebind attack detected: b-0.19-[redacted].avqs.mcafee.com

It's from my work computer so I can't mess with the computer itself, but I've been using it from home for months and I don't believe this happened before I upgraded to 386.1_2 from 384_19.

I've rebooted everything. Maybe I can suppress just these messages in some way?

 

[ColinTaylor]

Maybe I can suppress just these messages in some way?

Just disable rebind protection. WAN > Enable DNS Rebind protection = No

 

[BGood]

Isn't rebind protection useful? I was hoping to leave it on but suppress the messages.

 

[ColinTaylor]

You can make a rebind exception for the mcafee address. Add this line to /jffs/configs/dnsmasq.conf.add

rebind-domain-ok=avqs.mcafee.com

 

[BGood]

You can make a rebind exception for the mcafee address. Add this line to /jffs/configs/dnsmasq.conf.add

rebind-domain-ok=avqs.mcafee.com

I think you found the solution that lets me keep rebind protection and not get flooded with messages! Thank you!

 

[BGood]

Well, it didn't completely work, but it seems to have greatly reduced the messages. So, thanks again!

 

[ColinTaylor]

Hmm. I can't think how it could only partially work. It's either allowing avqs.mcafee.com requests or it's not.

 

[BGood]

Hmm. I can't think how it could only partially work. It's either allowing avqs.mcafee.com requests or it's not.

Well, I'm not sure what was happening on my work PC when it was blocking those requests, because it's all a black box to me. My issue was it was logging so much that I couldn't use the log for tracking down any other issues. Now I'm seeing a few of those entries. But it's possible that it was a coincidence that editing the file you suggested greatly reduced the number of related log entries. Again, since I can't see what Big Brother is doing.

Whatever the case, McAfee isn't currently abusing my logs so much that they're useless. So thanks for spending your time assisting me.

 

[BGood]

Ha, I spoke too soon. I dumped out the entire log file and I see there are certain times where the log sports LOTS of the "possible NDS-rebind attack detected" messages. Then it's quiet for a while, then another flurry of such entries.

So I guess I was just focusing on the wrong points in the logs. It seems the change may not have done anything.

But you were the only one who posted, so I'm still appreciative. I think I'll just give this up for now. I seem to have resolved my bigger issue (WAN not renewing its IP address nearly daily), which now reduces my desire to keep chasing this one.

 

[kernol]

I suggest "Disable DNS Rebind protection" [as mentioned by @ColinTaylor ] and install Unbound as your recursive DNS.
Works incredibly well for me and MANY others.

EDIT: - Also consider using Scribe to gather your log files into useful categories for later observation.
All can be done with a USB and AMTM script [built in to firmware].

 

[BGood]

I suggest "Disable DNS Rebind protection" [as mentioned by @ColinTaylor ] and install Unbound as your recursive DNS.
Works incredibly well for me and MANY others.

EDIT: - Also consider using Scribe to gather your log files into useful categories for later observation.
All can be done with a USB and AMTM script [built in to firmware].

I appreciate the suggestion, but I think this is going to take a certain level of effort that I'm not wanting to spend now. I saw many terms I'm not familiar with like "Entware" and I saw someone posting with DNS issues when Unbound didn't start, etc. I really only went with Merlin for split VPN tunneling and haven't put in time to learn about all the cool scripts and things. It does seem to add power, but I'm mostly about the Wife Acceptance Factor.

Maybe in time I'll learn a few of these things. I might look into your Scribe suggestion if I don't have to learn 5 new things before I can start to learn it! Thanks for your suggestions!

 

[kernol]

I appreciate the suggestion, but I think this is going to take a certain level of effort that I'm not wanting to spend now. I saw many terms I'm not familiar with like "Entware" and I saw someone posting with DNS issues when Unbound didn't start, etc. I really only went with Merlin for split VPN tunneling and haven't put in time to learn about all the cool scripts and things. It does seem to add power, but I'm mostly about the Wife Acceptance Factor.

Maybe in time I'll learn a few of these things. I might look into your Scribe suggestion if I don't have to learn 5 new things before I can start to learn it! Thanks for your suggestions!

Fully understand your cautionary approach - sensible to be sure .

I will stress though that I not a coder at all - and am eternally grateful to all the script writers on this forum - in particular @thelonelycoder and the inclusion of his "amtm" script which is now built into the firmware.

Just take a look at the developers website here ...
https://diversion.ch/
It explains how easy it is to get going - and believe me it very easy to install [or indeed uninstall] any of the magic add-ons.
If you can find the time - give them a whirl - you won't regret it ... and might even further impress the wife .

EDIT: Also with clicking on the Link in Merlinware - "Addons" button at the left bottom of the webgui screen - then "Help and Support" tab across the tops - it lists info on all the potential addons within amtm on a new tab in your browser.