Bagle virus attacking network.  Help!

Posted on 2004-11-11
Last Modified: 2013-12-04
Hi, I have a network of about 15 workstations, and one File/Email server running Microsoft SBS 2000, with Exchange 2000.  Just this week the email system started acting up, with emails being returned undeliverable ect ect.  AVG Network edition antivirus found the BAGLE.AZ virus existed in two files located at C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue.  Both of the files were .EML files.

I had AVG remove the files, but each day two or three will reappear.  In addition, my users have been getting lots of emails containing the Bagle virus.  From what I can see, most of these viruses are being caught by the AVG on thier workstations and put into the virus vault.

So my questions are this:

-What steps should I take to find out what exactly is happening to my server?  Things seem to be getting held up in the queue.

-I have heard that it is not good to use a normal file server anti-virus to scan Exchange files as I have been doing.  Is this the case?  Why?


Question by:Brian1
    LVL 6

    Expert Comment

    Brian,  =]

    Yes, AVG will pick it up. However,If you want to protect your exchange server:
    Trend Micro Client/Server/Messaging Suite is great.
    "Trend Micro Client/Server/Messaging Suite provides a powerful, multi-layered defense against viruses, spyware, and other malicious code, to protect mail servers, file servers, and desktops. The suite of integrated products can be remotely configured and managed to create the right mix of security and performance for any organization."

    That link will provide you with all the features, benefits and info on the product. ALso gives a 30 evaluation trial.

    If you'd like to keep AVG and just addon security for exchange server, I recommend:

    GFI MailSecurity: TO KEEP worms/viruses/spyware out of your mail servers.  

    GFiLANguard: This is a wonderful program to perform security audits and receive alerts of attacks and other critical events.

    GFi products are a little on the higher budget side, however very effective products. Please advise if you have any questions or comments I wouldn't relie on it to portect your exchange server.

    Let me know if you have any questions or concerns!!

    good luck,

    LVL 1

    Author Comment

    Thank you for your comments Jorden, but unfortunately they really don't specifically answer my questions.
    LVL 20

    Expert Comment

    Basically you need software that's specifically designed to be able to scan incoming and outgoing email on an exchange server. Using a file level scanner can result in the AV mistakenly identifying exchange logs etc. as virus files and quaranting them, which will bring your exchange server to a huge grinding halt. File level scanners on an exchange server are fine so long as you exclude relevant files and folders from real-time protection or manual scanning.
    Exchange and antivirus software
    Am not sure which specific version of AVG you're using but on the link below it's not for exchange server per se,
    AVG Network Edition
    You'd need the Email Server Edition:
    AVG Email Server Edition
    Sounds like you're picking up viruses ok at the client side, but you really need to detect them at the server side - hence an exchange aware email product is required. I use Symantec Corporate 8 at the moment for the servers and clients, with specific folders and files excluded for exchange at the file level, and the Symantec AV/Filtering  for Exchange deployed on the exchange server, so I can advise on principle but not on specifics for the product you're using,

    Deb :))
    LVL 6

    Accepted Solution


    The issue is on the exchange server, you have viruses coming in that arn't be filtered out. So the software I suggested  gives you different approaches on this issue.

    1) "What steps should I take to find out what exactly is happening to my server?  Things seem to be getting held up in the queue"

    If you had protection on the exchange server, so it woudl prevent these infected files, then the virus would never be able to get to the workstations. That is the goal here,So that is why I recommend TrendMicro, even better GFI products.

    2) "I have heard that it is not good to use a normal file server anti-virus to scan Exchange files as I have been doing.  Is this the case?  Why?"

    Yes, this is the case. For your exchange server you need stronger protection, unless you want to have the virus hit all the workstations. Now, I'm not saying your not safe, even though its hitting the workstations, they arn't being infected. However, why have numerous workstations with viruses in the quere or AVG's vault, when you can stop them at the server??

    That is why I recommended the products above. I did misread where you have AVG network edition. So All you really need is protection for the exchange server to prevent virus/attacks from spreading through your network. In which case I apologize for my above post, and leads me to recommend:

    GFI MailSecurity: TO KEEP worms/viruses/spyware out of your mail servers.  

    Please advise if you have any questions or concerns, or if you feel this is still not what your looking for.

    Thanks in advance,


    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now