Solved

Symantec AVF 3.0 for Exchange & Symantec Antivirus 9.0 Corp

Posted on 2004-04-25
7
7,232 Views
Last Modified: 2007-12-19
Hi,

Can any one shed some light on this issue?

I used to run AVF 3.0 for Exchange & SAV 8.1 Corp edition on Exchange 2000. Worked great. Whenever there was infected email, e.g. W32.Netsky.C@mm, AVF 3.0 could catch it and replace the attachment with text message, notifying me there was virus.

However, recently, I upgrade SAV 8.1 to 9.0, and ever since that, AVF no longer works properly:

- AVF service can never start at server reboot, I have to configure the service to restart itself after failure, otherwise I will have to manually start it.

- AVF cannot detect the virus properly. Instead, it tells me "detected a message with unscannable attachment"


Have tried uninstall and reinstall Symantec, no improve.
Any idea? Thanks in advance!!
0
Comment
Question by:robinluo
  • 5
  • 2
7 Comments
 
LVL 27

Expert Comment

by:Asta Cu
ID: 10914102
I believe this will assist you.


Clients and secondary servers do not receive updates after updating Symantec AntiVirus Corporate Edition 8.x parent server with Intelligent Updater

Situation:
After updating a Symantec AntiVirus Corporate Edition parent server by using the Intelligent Updater, you find that the clients do not receive virus definitions using the Virus Definition Transport Method (VDTM).

Solution:
This is expected behavior with Symantec AntiVirus. The Intelligent Updater updates definitions by delivering a .vdb file, which was the standard method of delivery for previous versions. Symantec AntiVirus uses an .xdb file instead, which includes technology to allow incremental updates of clients. Since the Intelligent Updater does not include .xdb files, the Symantec AntiVirus server cannot update secondary servers or clients (including legacy clients) with definitions delivered by the Intelligent Updater. Similarly, Symantec AntiVirus cannot update secondary servers or clients if it has been updated manually with a .vdb file.

To update a Symantec AntiVirus server manually, download the most current .xdb file from the Symantec Security Response Web page and copy it to the server. For complete instructions, including steps to automate the process, read the document How to update virus definitions for Symantec AntiVirus Corporate Edition.

Source for more:  http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2003061714012048?OpenDocument&src=ent_hot&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=9.0&tpre=
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 10914135
This and Intelligent Updater and more omitted above, sorry.  Long day.  Hopefully, some viable workarounds for you as well.
Did the EVENT LOGS show any problems?

http://service1.symantec.com/support/ent-security.nsf/docid/2002103012571948?Open&src=ent_hot&docid=2003061714012048&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=9.0&osv=&osv_lvl=

How to automatically update Symantec AntiVirus Corporate Edition 8.x definitions without using LiveUpdate
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002091816510548?Open&src=ent_hot&docid=2002103012571948&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=9.0&osv=&osv_lvl=

Noted similar problems to yours because system wasn't rebooted after the upgrade, and other roadblocks; this may help as well to add insight and possibilities for you.
http://search.symantec.com/custom/us/query.html
Upgrading to Symantec AntiVirus Corporate Edition 9.0 requires restarting the computer
When performing an upgrade from previous versions of Symantec AntiVirus Corporate Edition to version 9, you must restart the computer.
 
New features in Symantec AntiVirus Corporate Edition 9.0
Symantec AntiVirus™ Corporate Edition 9.0 includes a number of new and improved features. This document lists and describes what's new in this release.

Manually uninstalling Symantec AntiVirus Corporate Edition 9.x client from Windows NT/2000/ ...
This document describes how to uninstall Symantec AntiVirus Corporate Edition 9.x client from Windows NT/2000/XP or Windows Server 2003 (32-bit) manually.

How to install Symantec AntiVirus Corporate Edition 9.x clients using a logon script
This document gives step-by-step instructions to set up Symantec AntiVirus Corporate Edition 9.x client logon installation.

Four additional services appear after installing the Symantec AntiVirus Corporate Edition™ ...
You just installed only the Symantec AntiVirus Corporate Edition 9.0 client (not Symantec Client Firewall™), and you notice that four additional services are present on your computer. You want to know what they do.

Setting up Symantec AntiVirus Corporate Edition 9.x for Web-based deployment using IIS 4.x ...
This document explains how to set up Symantec AntiVirus™ Corporate Edition 9.x for Web-based deployment, using Microsoft Internet Information Server (IIS) 4.x or 5.x.

General overview of a Group Policy Object (GPO) installation using Symantec AntiVirus ...
You want a to install Symantec AntiVirus Corporate Edition 9.x using a Windows 2000 Active Directory Group Policy Object.

Many more, but hope this helps; off to work for me.  Good luck,
Asta


 







0
 
LVL 9

Author Comment

by:robinluo
ID: 10914417
Thanks Asta,

I don't really think this is defination updating issue. AVF runs on server end. In my case, it resides on the same server where SAV and Exchange are installed. Therefore, AVF and SAV are sharing the same virus defination file, which is always up to date via liveupdate.

To me, it seems to be a setting somewhere not configured properly, so AVF cannot identify a virus attachment but instead treats it as "unscannable attachment".

I will read the links you provided in your 2nd post and see if there is any hint in here. Will get back to you ASAP.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 27

Accepted Solution

by:
Asta Cu earned 500 total points
ID: 10914455
When you had version 3 installed, you likely updated to apply this patch ...
Quote:
The Unscannable File rule is triggered and the Application Log references the attached Message Body

Situation:
You have installed Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange ( AV/F for Exchange). Your Unscannable File rule is triggered. The Application Log contains a reference to the attachment "Message Body." However, the email message did not have an associated attachment.

Solution:
This problem is resolved in Symantec AntiVirus/Filtering 3.02 build 96 for Microsoft Exchange or newer. Please update to this build or to a newer version. For information on obtaining this update, see the document How to obtain an update or an upgrade for your Symantec Corporate product.


Technical Information:
The decomposer used in versions of AV/F for Exchange prior to 3.02 build 96 triggered the unscannable file rule when some message bodies and attachments could not be properly decomposed.

Unquote:

I've been looking for an equivalent for version 9, but no luck (yet).

What criteria can cause an "unscannable file" violation within Symantec AntiVirus/Filtering 3.x for Microsoft Exchange?
http://service1.symantec.com/SUPPORT/ent-gate.nsf/43bfd8ba5687ac2585256ada0047b096/75d69aeae08f38d388256bd0007e5142?OpenDocument&src=bar_sch_nam

Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange (Symantec AV/Filter for MSE) is installed on your Exchange 2000 Server. When you attempt to scan a .tar file which is 1 MB or greater, an unscannable file violation message appears. Other file types do not trigger the unscannable file rule for any file size. Also many more hits or possibilities here:

A built-in feature of SMS for Exchange is Maximum Scan Time. This feature prevents attacks designed to monopolize the scanning subsystem. A time limit on the scanning subsystem maintains security and performance. The default time limit is set to 300 seconds (5 minutes). Attachments exceeding 5 minutes are unscannable and the unscannable file rule is applied.

An example of when the Maximum Scan Time needs changed is compressed files that expand to many times their original size and exceed the default 5-minute time limit. When this happens the file is unscannable and the unscannable file rule is applied.

http://service1.symantec.com/SUPPORT/ent-gate.nsf/eb4f48490d6380ea88256d1e0000dafc/5e40c940c806468888256d50007a146d?OpenDocument&src=bar_sch_nam
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 10914481
How to verify that a Symantec corporate antivirus product is set to scan all files
Norton AntiVirus 2003 and 2004 scan all files by default. Do the following to insure that you are using the default settings.
Start Norton AntiVirus. If Norton AntiVirus is installed as a part of Norton Internet Security or Norton SystemWorks, then start that program.
Click Options. If a menu appears, click Norton AntiVirus.
When the Norton AntiVirus Options dialog box appears, in the left pane, click Manual Scan.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999110513272906
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002052213125148?OpenDocument&src=sec_doc_nam&src=bar_sch_nam

Setting up Symantec AntiVirus Corporate Edition 9.x exclusions for NetWare 5.x and 6.x
http://service1.symantec.com/SUPPORT/ent-security.nsf/c9b1ac1936fbf63488256e77006521df/98f924100d58458688256e7d006a930d?OpenDocument&src=bar_sch_nam

Custom-scheduled scan settings disappear after the primary master server is restarted
http://service1.symantec.com/SUPPORT/ent-security.nsf/552ba2f7636bedf088256818006f78bf/560bcde642e0988a88256a220026ac9e?OpenDocument&src=bar_sch_nam

Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange (AV/F Exchange) is installed and is enabled to protect your Exchange server. Some text attachments that are sent through the Exchange 2000 email server are quarantined for a violation of the unscannable file rule. These text attachments open normally with no sign of corruption. Duplicating the text in a new message and then sending it through the email server triggers the unscannable file rule.
http://service1.symantec.com/SUPPORT/ent-gate.nsf/43bfd8ba5687ac2585256ada0047b096/dc49830e3056b94c88256bd0007e5185?OpenDocument&src=bar_sch_nam

My thinking is that perhaps the Default settings for the old version didn't get translated to the upgrade; more here on the default settings for V3 and Server 2000
Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange 2000 default settings

Situation: You want to know the default settings for a fresh installation of Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange 2000 (SAVFMSE).
Solution:   This table shows the default settings:
http://service1.symantec.com/SUPPORT/ent-gate.nsf/43bfd8ba5687ac2585256ada0047b096/1729b3d86dd3964188256bd0007e4db9?OpenDocument&src=bar_sch_nam

I'm amazed at the number of possibilities that can trigger this problem, and losing my vision for the day, so off to spend time with the family.  I hope this has helped some.

Best of luck,
Asta



0
 
LVL 9

Author Comment

by:robinluo
ID: 10914914
Asta, thanks for your help. Your post led me to the final solution:

I need to exclude the AVF's working folder from SAV, otherwise both antivirus programs touch their hands on it (not recommended by Symantec) and hence cause trouble.

What's interesting is, I never know this before and didn't configure this when running SAV 8.x, however AVF worked fine at that time. Anyway, good to learn something today.

Thanks again.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 10918141
I'm so pleased and thank you as well; since we both learned something new in this process.  Thank you also for the fine grade and best wishes!
":0) Asta
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now