I'm at my wits end on this one & am hoping the EE community could lend a helping hand!
We started receiving intrusion prevention alerts on our SonicWall E5500 NSA after a recent firmware update. Of ~10 workstations, only two were triggering the alert: "IPS Prevention Alert: P2P eMule -- Obfuscated Protocol, SID: 4, Priority: Low" Source: workstation, random port; Dest: either of our DCs, port 1025
I took one of the machines offline & built a new machine for the user using a custom winXP image on different hardware. We kept the default machine name & have not had any alerts from the device, so the user is up and running for the time being.
The odd part here is that I wiped the user's old machine, reimage using the same image as above & flashed the BIOS. I removed the object from AD, renamed the machine to its original, and joined the domain. The alerts started again. The only commonality here (that i can think of ) is the machine name. I haven't even attempted to work on the second machine in question. (Malware & rootkit scans have come up clean)
I have since reimaged the machine from a base XP image, with no bells and/or whistles. Installed/updated A/V, ran all appropriate Win Updates, etc. The alerts started again as soon as I joined the domain - inbound to the AD server(s) over 1025.
Any thoughts/help would be appreciated. Our ultimate goal is to eradicate this & apply the same fix to the second device.