Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Problem with NetSky on ISA Firewall server

Posted on 2004-08-05
8
Medium Priority
?
223 Views
Last Modified: 2013-11-16
Hi,

We have a Windows 2000 Sp4 server running ISA Server 2000 Sp2. Over the last few days hundreds of instances of the NetSky virus have been quarantined by Symantec Antivirus Corp Ed v9 on this server and the source is given as the 'Mail Sub-System'.

I have also noticed that a message box from the Symantec AV program keeps popping up on the ISA Server telling me that it's scanning the outbound email, leading me to believe that something sinister is hiding on the ISA Server and using it as a host the send viruses out on.

I have scanned the server and used the NetSky removal tool from Symantec but no instances of it are ever found.

Our system is configured so that only our exchange server can send outgoing smtp and we restrict outbound access to simple http / https / dns and ftp downloads for everything else.

It's confusing me because I can't detect the virus in a scan but it's still quarantining them.

Regards,

Robert
0
Comment
Question by:rhedley
8 Comments
 
LVL 2

Accepted Solution

by:
MichealLow earned 2000 total points
ID: 11733686
The virus is coming from your network. Any PC on the network (might be your exchange server)that infected with the Netsky virus will try push the mail out via ISA server. Try to check the SMTP log where is the source of the virus mail.
0
 

Author Comment

by:rhedley
ID: 11735142
Thanks, I will investigate this on the whole network.

Since I posted this message, Symantec Antivirus is finding viruses in the following folder on the ISA server:

C:\Documents and Settings\Administrator\Local Settings\Temp

The files it is catching are named something like CC228.tmp

Would this still indicate that there is a virus elsewhere on the network?

Regards,

Robert
0
 
LVL 4

Expert Comment

by:shard26
ID: 11748176
Maybe, maybe not. Have you run a scan on all your workstations? Did you delete the infected file on the ISA server?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:rhedley
ID: 11750800
Hi There,

Yes we have scanned all the machines on our network, including the servers and nothing has been found.

Each time I delete the files from the quarantine new ones appear as it catches more.

Regards,

Robert
0
 
LVL 4

Expert Comment

by:shard26
ID: 11788127
Are they only re-appearing on the ISA server?

What virus does it find?


0
 
LVL 4

Expert Comment

by:shard26
ID: 11788137
Make sure delete everything from the quarantine as well.
0
 

Author Comment

by:rhedley
ID: 11788158
Hi,

Yes they only appear on the isa server, it's finding netsky.p@mm

I have deleted everything from the qurantine and any quarantine files hidden in the Documents and Settings folders.

Regards,

Robert
0
 
LVL 1

Expert Comment

by:Ev-
ID: 11899764
If the configuration of the ISA server to exchange does not require you to have the SMTP virtual service operating on the ISA server disable it.

Users mail will still get out through the exchange server as client -> server is MAPI not SMTP.

Worth a shot.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question