Solved

Problem with NetSky on ISA Firewall server

Posted on 2004-08-05
8
215 Views
Last Modified: 2013-11-16
Hi,

We have a Windows 2000 Sp4 server running ISA Server 2000 Sp2. Over the last few days hundreds of instances of the NetSky virus have been quarantined by Symantec Antivirus Corp Ed v9 on this server and the source is given as the 'Mail Sub-System'.

I have also noticed that a message box from the Symantec AV program keeps popping up on the ISA Server telling me that it's scanning the outbound email, leading me to believe that something sinister is hiding on the ISA Server and using it as a host the send viruses out on.

I have scanned the server and used the NetSky removal tool from Symantec but no instances of it are ever found.

Our system is configured so that only our exchange server can send outgoing smtp and we restrict outbound access to simple http / https / dns and ftp downloads for everything else.

It's confusing me because I can't detect the virus in a scan but it's still quarantining them.

Regards,

Robert
0
Comment
Question by:rhedley
8 Comments
 
LVL 2

Accepted Solution

by:
MichealLow earned 500 total points
ID: 11733686
The virus is coming from your network. Any PC on the network (might be your exchange server)that infected with the Netsky virus will try push the mail out via ISA server. Try to check the SMTP log where is the source of the virus mail.
0
 

Author Comment

by:rhedley
ID: 11735142
Thanks, I will investigate this on the whole network.

Since I posted this message, Symantec Antivirus is finding viruses in the following folder on the ISA server:

C:\Documents and Settings\Administrator\Local Settings\Temp

The files it is catching are named something like CC228.tmp

Would this still indicate that there is a virus elsewhere on the network?

Regards,

Robert
0
 
LVL 4

Expert Comment

by:shard26
ID: 11748176
Maybe, maybe not. Have you run a scan on all your workstations? Did you delete the infected file on the ISA server?
0
 

Author Comment

by:rhedley
ID: 11750800
Hi There,

Yes we have scanned all the machines on our network, including the servers and nothing has been found.

Each time I delete the files from the quarantine new ones appear as it catches more.

Regards,

Robert
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 4

Expert Comment

by:shard26
ID: 11788127
Are they only re-appearing on the ISA server?

What virus does it find?


0
 
LVL 4

Expert Comment

by:shard26
ID: 11788137
Make sure delete everything from the quarantine as well.
0
 

Author Comment

by:rhedley
ID: 11788158
Hi,

Yes they only appear on the isa server, it's finding netsky.p@mm

I have deleted everything from the qurantine and any quarantine files hidden in the Documents and Settings folders.

Regards,

Robert
0
 
LVL 1

Expert Comment

by:Ev-
ID: 11899764
If the configuration of the ISA server to exchange does not require you to have the SMTP virtual service operating on the ISA server disable it.

Users mail will still get out through the exchange server as client -> server is MAPI not SMTP.

Worth a shot.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now