Solved

Problem with NetSky on ISA Firewall server

Posted on 2004-08-05
8
217 Views
Last Modified: 2013-11-16
Hi,

We have a Windows 2000 Sp4 server running ISA Server 2000 Sp2. Over the last few days hundreds of instances of the NetSky virus have been quarantined by Symantec Antivirus Corp Ed v9 on this server and the source is given as the 'Mail Sub-System'.

I have also noticed that a message box from the Symantec AV program keeps popping up on the ISA Server telling me that it's scanning the outbound email, leading me to believe that something sinister is hiding on the ISA Server and using it as a host the send viruses out on.

I have scanned the server and used the NetSky removal tool from Symantec but no instances of it are ever found.

Our system is configured so that only our exchange server can send outgoing smtp and we restrict outbound access to simple http / https / dns and ftp downloads for everything else.

It's confusing me because I can't detect the virus in a scan but it's still quarantining them.

Regards,

Robert
0
Comment
Question by:rhedley
8 Comments
 
LVL 2

Accepted Solution

by:
MichealLow earned 500 total points
ID: 11733686
The virus is coming from your network. Any PC on the network (might be your exchange server)that infected with the Netsky virus will try push the mail out via ISA server. Try to check the SMTP log where is the source of the virus mail.
0
 

Author Comment

by:rhedley
ID: 11735142
Thanks, I will investigate this on the whole network.

Since I posted this message, Symantec Antivirus is finding viruses in the following folder on the ISA server:

C:\Documents and Settings\Administrator\Local Settings\Temp

The files it is catching are named something like CC228.tmp

Would this still indicate that there is a virus elsewhere on the network?

Regards,

Robert
0
 
LVL 4

Expert Comment

by:shard26
ID: 11748176
Maybe, maybe not. Have you run a scan on all your workstations? Did you delete the infected file on the ISA server?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:rhedley
ID: 11750800
Hi There,

Yes we have scanned all the machines on our network, including the servers and nothing has been found.

Each time I delete the files from the quarantine new ones appear as it catches more.

Regards,

Robert
0
 
LVL 4

Expert Comment

by:shard26
ID: 11788127
Are they only re-appearing on the ISA server?

What virus does it find?


0
 
LVL 4

Expert Comment

by:shard26
ID: 11788137
Make sure delete everything from the quarantine as well.
0
 

Author Comment

by:rhedley
ID: 11788158
Hi,

Yes they only appear on the isa server, it's finding netsky.p@mm

I have deleted everything from the qurantine and any quarantine files hidden in the Documents and Settings folders.

Regards,

Robert
0
 
LVL 1

Expert Comment

by:Ev-
ID: 11899764
If the configuration of the ISA server to exchange does not require you to have the SMTP virtual service operating on the ISA server disable it.

Users mail will still get out through the exchange server as client -> server is MAPI not SMTP.

Worth a shot.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question