Link to home
Start Free TrialLog in
Avatar of soda0091
soda0091

asked on

Exchange and viruses

I have a Windows 2000 server running Exchange 2000. On this server is Norton Corp 8.0. I having been working for this company for less then a month and I have been reading about how to remove viruses on Exchange. I understand that Exchange is very finicky and I want to be careful removing them. I have ran the symantec tools with the "nofilescan" option and it came back clean. But looking in the file real time statistics it shows 122 infected files. How should I go about cleaning these out?
Avatar of Eric
Eric
Flag of United States of America image

Use NAV for MSE  dont let NAVCE scan M drive and exclude the logs folder etc..
Avatar of soda0091
soda0091

ASKER

I have Symantec AVF installed. What is NAVCE? The viruses seem to be in one folder

D:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_df5ada7401c47a36000031aa.EML

Under real time system scan it says that it is the w32.Netsky

Can I run the symanect removal tool? I know that you can include an exclusion but can you include more then one?
I eclude exchsrvr folder adn subfolders
NavCE is Norton Antivirus Corporate Edition

Bets thing to do is if you are wary of doing this is to do it when you are able to stop the exchange services and don't let the repair tool delete the files.  Move then to quarantine, start the exchange box and you should find that everything should be ok.

Before you run the removal tool make sure it doesn't scan the M drive, it come with the following warning:
"WARNING: For network administrators. If you are running MS Exchange 2000 Server, we recommend that you exclude the M drive from the scan by running the tool from a command line with the Exclude switch. For more information, read the Microsoft knowledge base article, "XADM: Do Not Back Up or Scan Exchange 2000 Drive M" (Article 298924)."

Here is a link to the MS article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;298924

THE REMOVAL TOOL
W32.Netsky@mm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky@mm.removal.tool.html
SOLUTION
Avatar of Eric
Eric
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The symantec corp is deployed in as managed software across the network. So you are saying that I should not run any of the symantec tools on the Exchange server? I have removed the scanning from the Exchange folders that should be omitted. I would just like to make sure that it is clean. The Symantec AVF is still showing violations. It is down considerably from yesterday. Is this normal then? I have not found anything in the Norton Corp quarantine today.
He says he has Symantec AVF installed.  That is the exchange version. ("I have Symantec AVF installed. What is NAVCE? ")
Open "symantec AVF for Exchange"  Do a full scan of all mailboxes after checking for updates.
There will always be viruses in certain directories.. Like we archive mail history.. its a virus hotel :o
If i scan that I have all kinds of problems :)


FYI, symantec claims it does not matter if you have email scanning enabled on the client.  Realtime protection should get it anyway.  they say this inresponce to why does NAVCE not support OE  (supports outlook) .  So why it exists ... who knows :|


FYI its not exchange catching those filters, its probably either Real time protection or a scheduled scan.  Keep The Exchange AVF, it will save your life :D
Hi
From your post:
"The symantec corp is deployed in as managed software across the network" - Are the virus definition files up to date across the entire network and are all machine's included?

"I have removed the scanning from the Exchange folders that should be omitted. I would just like to make sure that it is clean." - You need to remove the folders that have already been listed from both scanning AND real-time protection on the exchange server from configure real-time protection. Symantec CE 8 is a file-based virus scanner, which means it does just that - scans files. It is not designed to scan any of the exchange folders, as by design, exchange requires a different mechanism to effectively scan these files - and this mechanism is only provided by exchange-specific virus protection such as Symantec Mail Security for Microsoft Exchange.

Whilst real-time protection is still scanning the exchange folders and stores it can cause problems, get mail stuck in queues, report false positive virus readings - at worst bring down your exchange server if it does manage to quarantine something.

"The Symantec AVF is still showing violations" - Please confirm that this is from the real-time protection on the exchange server - if it is, reconfigure it to exclude the necessary folders and all should be well. Showing such violations is probable as scanning exchange-specific folders and stores can give false-positive reports of infection.

If you want peace of mind - go get a product specifically for exchange. If your av is set up correctly, and reports no problems then your exchange server is clean (bearing in mind that no av product is foolproof). However with your current set-up that doesn't mean that virus containing attachments in emails cannot pass through your server, which is again why you need an exchange-specific av. The scanning at the client pc's should quarantine any files present in emails so long as real-time protection for exchange is configured.

Hope this helps clarify,

Deb :))



Also remember everytime to exclude in scheduled scans, virus sweets etc...
Also if you scan the M: drive it does stuff like screws up your bosses calender :|  (no that I know :o  )
Every part you need to exclude it.  Except exchange because all that does is scan exchange.
Isnt the  Norton AVF specifically for Exchange? I have been running a manual scan since 10am and it has not found a virus yet. It has found a bunch of spam though.
yes its the same... .. It used to be called something different probably why people are confused. I mentioned it a few times.
"He says he has Symantec AVF installed.  That is the exchange version. ("I have Symantec AVF installed. What is NAVCE? ")"

then your should be good to go.  Like I said, my history folder has more viruses than I care to think about.  
if somehow something tried to execute one, NAV would catch it, it just wont scan that folder anymore.

Oh dear! - For some reason I had just assumed that you didn't - I missed the AVF reference  - As you DO have it, prevent any scanning  - including real-time - of the exchange folders and you'll be fine.

Deb :))
I'm glad that  we got that squared away. So even though it shows 123 infections in the real time scan it should be okay then(Norton Corp)? Do these eventually go away then? I have changed the folders that both NAV and AVF are supposed to scan.
Yes.  Clear the errror in symantec console to rid you of the "!" point if you have it.   if not dont worry about it.
This is normal dont sweat it.  Sounds like you got it squared away.

Yep - you'll be fine - The "infections" are false positives - activity incorrectly identified by the  scanner as virus activity (that's why everyone - microsoft, symantec, mcAfee etc etc wil tell you NOT to scan those folders. - File scanning/real-time protection just doesn't work with those exchange folders, avf does - it can scan everything coming via email as it uses a different mechanism for scanning, and if that's saying you're ok and you're fully updated everywhere then that's as good as its going to get.
What about setting up the spam blocker in the AVF? I noticed that it picked up over 500 spam messages when I was doing a manual scan of the mailboxes. Is there a way to configure this in ordre to stop the email from ever reaching the recipent?
With this it can be more difficult because of the spoofed headers etc, but yes you can catch some of it. You can create spam lists - so you can catch mail from anyone@spam.com. You can filter by subject line too, although this one was harder to configure as you can filter for wildcards etc - if you get it wrong though it will eat all your mail and releasing it from quarantine doesn't necessarily mean it's always readable. In short I haven't found it the best spam catching solution in the world for exchange. Have a look at something like gfi mail essentials,

Deb :))

I noticed this morning that it said that there were 26 virus infection violations. Is this still from the previous day? Or should I not worry? I also saw a check box for enable exchange background scanning, should this be checked?
Hi again,

Could you let us know what version and build of Symantec/Norton AV for exchange are you using? (It's a different one to mine I expect, hence some of the earlier confusion)

Deb :))

The only thing that I can find that coresponds to AVF is the shortcut. I cant seem to find the version. Any ideas?
Ok - when you open up avf, there should be an "about" link or button depending on the version. Try looking in the help menu - there could be an about link there, or have a look at the opening user interface for an about button if it's a web-based interface,

Deb :))
Are you referring to the web page that opens up?I just see help for internet explorer
At the bottom - is there a button that says about?
it says 3.02.10.95
Where did you seee the infection notices??????????
in avf or elseware.

you can tell each type of filter who to send mail to or who not too.. along with custom messages.

that checkbox will keep it from stealing to much CPU time... it lowers its priority

Change who gets warnings:

policys, content subpolicy.

edit the policy you want.  uncheck the box next to whom you do not want to receive the message.
Ok - looks like its probable symantec avf for exchange 3.02 - so this launches a browser based window. When you can mailboxes and folders from here - all is well?

So where are you getting the virus notifiction messages from? I'm assuming that they must be from the corporate edition client also installed on the exchange server? If so, then so long as you have the correct folders exempt from either scheduled scans, manual scans, or real time-protection then you should be able to just clear the alerts/logs. Can you confirm that you have you excluded these files now?

Also yes you should be using exchange background scanning - it just scans the exchange store - maybe when definitions are updated - depends on your version of avf which I'm still not sure about.

Deb :))
There are 123 under file real time scanning in Norton corp. And under the AVF there are 15 virus violations. I'm an 99.9 percent sure that the correct files are excluded. Can I clear the  log files from the Norton Corp Real time scanning. I'll turn on background scanning then.
Yes - clear the files - empty quarantine in avf for exchange - enable the scanning and lets see how you do. If needs be I'll post the exact files and folders that need to be excluded from real-time scanning if we have any further problems,

Deb :))

clear the status and see if they come back.  they should not if your exclutions are correct.

They are listed above
"Exchange 2000
The Installable File System (IFS) (default location: drive M)
Exchange databases (default location: Exchsrvr\Mdbdata)
Exchange MTA files (default location: Exchsrvr\Mtadata)
Exchange temporary files: Tmp.edb
Additional log files (default location: Exchsrvr\server_name .log)
Virtual server folder (default location: Exchsrvr\Mailroot)
Site Replication Service (SRS) files (default location: Exchsrvr\Srsdata)
Internet Information Service (IIS) system files (<drive>:\Winnt\System32\Inetsrv)"
+ M drive.
I ommited the M drive as mentioned, the whole Exchsrvr folder, and the edb extension from scanning.
Should be all set then.  Give it over the weekend and verify its happy.

Lets hope for the best. Is there any way to clean out the real time scanning virus info?
are you using symantec console?
where do you activly see the info besides right click server name ( all tasks, logs, virus history )
??

When I double click the symantec icon and then type in the password to get in, I then goto the real time scanning and it shows 123 infections.
so to the symantec console.  select the server in reference.
does is have an exlimation point on it?
if so right click, all tasks, norton antivirus, clear status

reopen NAV and see if its cleared.  I never actually open NAV so I never noticed it where you said.  I do almost all via console.
I tried to open the console and recieved an error. Is there any other way?
you dont use the console??? you need to get that working.. its important.
its how you verify clients are getting updates etc..  whats the error???
\
how did you configure the policys w/o the console?
How can I split points between 2 people?
At the bottom you should see "split" points which you can select - then select one answer as accepted one as assisted and assign the points to each person as you want to up to a total of 275,

Deb :))
SOunds like you got it resolved or stoped caring. heh.

HOpe the better of the two.


Do i click on accept first? I dont want to leave anyone out
As long as you've clicked split points first at the bottom (or is it top?) it's there any way, you should be ok !
How to split points
http:Q_20823671.html

Deb :))