Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Problem with NetSky on ISA Firewall server

Posted on 2004-08-05
8
Medium Priority
?
222 Views
Last Modified: 2013-11-16
Hi,

We have a Windows 2000 Sp4 server running ISA Server 2000 Sp2. Over the last few days hundreds of instances of the NetSky virus have been quarantined by Symantec Antivirus Corp Ed v9 on this server and the source is given as the 'Mail Sub-System'.

I have also noticed that a message box from the Symantec AV program keeps popping up on the ISA Server telling me that it's scanning the outbound email, leading me to believe that something sinister is hiding on the ISA Server and using it as a host the send viruses out on.

I have scanned the server and used the NetSky removal tool from Symantec but no instances of it are ever found.

Our system is configured so that only our exchange server can send outgoing smtp and we restrict outbound access to simple http / https / dns and ftp downloads for everything else.

It's confusing me because I can't detect the virus in a scan but it's still quarantining them.

Regards,

Robert
0
Comment
Question by:rhedley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 2

Accepted Solution

by:
MichealLow earned 2000 total points
ID: 11733686
The virus is coming from your network. Any PC on the network (might be your exchange server)that infected with the Netsky virus will try push the mail out via ISA server. Try to check the SMTP log where is the source of the virus mail.
0
 

Author Comment

by:rhedley
ID: 11735142
Thanks, I will investigate this on the whole network.

Since I posted this message, Symantec Antivirus is finding viruses in the following folder on the ISA server:

C:\Documents and Settings\Administrator\Local Settings\Temp

The files it is catching are named something like CC228.tmp

Would this still indicate that there is a virus elsewhere on the network?

Regards,

Robert
0
 
LVL 4

Expert Comment

by:shard26
ID: 11748176
Maybe, maybe not. Have you run a scan on all your workstations? Did you delete the infected file on the ISA server?
0
What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

 

Author Comment

by:rhedley
ID: 11750800
Hi There,

Yes we have scanned all the machines on our network, including the servers and nothing has been found.

Each time I delete the files from the quarantine new ones appear as it catches more.

Regards,

Robert
0
 
LVL 4

Expert Comment

by:shard26
ID: 11788127
Are they only re-appearing on the ISA server?

What virus does it find?


0
 
LVL 4

Expert Comment

by:shard26
ID: 11788137
Make sure delete everything from the quarantine as well.
0
 

Author Comment

by:rhedley
ID: 11788158
Hi,

Yes they only appear on the isa server, it's finding netsky.p@mm

I have deleted everything from the qurantine and any quarantine files hidden in the Documents and Settings folders.

Regards,

Robert
0
 
LVL 1

Expert Comment

by:Ev-
ID: 11899764
If the configuration of the ISA server to exchange does not require you to have the SMTP virtual service operating on the ISA server disable it.

Users mail will still get out through the exchange server as client -> server is MAPI not SMTP.

Worth a shot.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
What we learned in Webroot's webinar on multi-vector protection.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question