• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 225
  • Last Modified:

Problem with NetSky on ISA Firewall server

Hi,

We have a Windows 2000 Sp4 server running ISA Server 2000 Sp2. Over the last few days hundreds of instances of the NetSky virus have been quarantined by Symantec Antivirus Corp Ed v9 on this server and the source is given as the 'Mail Sub-System'.

I have also noticed that a message box from the Symantec AV program keeps popping up on the ISA Server telling me that it's scanning the outbound email, leading me to believe that something sinister is hiding on the ISA Server and using it as a host the send viruses out on.

I have scanned the server and used the NetSky removal tool from Symantec but no instances of it are ever found.

Our system is configured so that only our exchange server can send outgoing smtp and we restrict outbound access to simple http / https / dns and ftp downloads for everything else.

It's confusing me because I can't detect the virus in a scan but it's still quarantining them.

Regards,

Robert
0
rhedley
Asked:
rhedley
1 Solution
 
MichealLowCommented:
The virus is coming from your network. Any PC on the network (might be your exchange server)that infected with the Netsky virus will try push the mail out via ISA server. Try to check the SMTP log where is the source of the virus mail.
0
 
rhedleyAuthor Commented:
Thanks, I will investigate this on the whole network.

Since I posted this message, Symantec Antivirus is finding viruses in the following folder on the ISA server:

C:\Documents and Settings\Administrator\Local Settings\Temp

The files it is catching are named something like CC228.tmp

Would this still indicate that there is a virus elsewhere on the network?

Regards,

Robert
0
 
shard26Commented:
Maybe, maybe not. Have you run a scan on all your workstations? Did you delete the infected file on the ISA server?
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
rhedleyAuthor Commented:
Hi There,

Yes we have scanned all the machines on our network, including the servers and nothing has been found.

Each time I delete the files from the quarantine new ones appear as it catches more.

Regards,

Robert
0
 
shard26Commented:
Are they only re-appearing on the ISA server?

What virus does it find?


0
 
shard26Commented:
Make sure delete everything from the quarantine as well.
0
 
rhedleyAuthor Commented:
Hi,

Yes they only appear on the isa server, it's finding netsky.p@mm

I have deleted everything from the qurantine and any quarantine files hidden in the Documents and Settings folders.

Regards,

Robert
0
 
Ev-Commented:
If the configuration of the ISA server to exchange does not require you to have the SMTP virtual service operating on the ISA server disable it.

Users mail will still get out through the exchange server as client -> server is MAPI not SMTP.

Worth a shot.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now