?
Solved

Virus in Exchange Server

Posted on 2005-03-22
7
Medium Priority
?
205 Views
Last Modified: 2010-04-11
Hi,

   Just curious to wonder if virus has been contained on our Exchange Server. Before I have installed the Symantec Mail Security for Exchange we have Symantec Antivirus Corporate Edition running on the server. The Corporate edition was useless in detecting viruses in the Exchange Server. Even I did a full system scan excluding the M-drive, the corporate edition still shows the system is clean. Now after installing the Antivirus for the Exchange our server when crazy; detecting all kind of viruses like different variant of Netsky and Beagle viruses. The Antivirus for the Exchange seems to delete the files fine for what every viruses that was generating the alerts. I have tried to do a manual scan on the Exchange Server using the Antivirus for the Exchange a day after now it too is not detecting any virus. Should I say it is safe that our server is now virus free? I have sanned all of the client's computers using the corporate edition and show no sign of virus infection. Is it safe to say that the network is now free of viruses? What can I do to ensure this if I am using both the corporate edition and the antivirus for the exchange to scan and show no sign of infection. What other step do I need to take to gurantee that the server is virus free?

Nicolas
0
Comment
Question by:SolverSurfer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
7 Comments
 
LVL 2

Accepted Solution

by:
BigSi earned 1000 total points
ID: 13599802
I get the feeling the corperate edition can not scan emails in the exchange database which is why it did not pick anything up.
When you are running an exchange server, you need to run a product that is able to access all the mailboxes to scan the emails within the exchange database.

Even though your anti-virus product found viruses on your exchange server, it doesn't mean that your server has actually been infected by the viruses -  it's just that the anti-virus product has found infected files that will infect a system if the file is executed.

Since your AV product found loads of infected files on the exchange system I would make sure all your network client machines have been thouroughly scanned and make sure that they have the latest windows and office(if you use MS office) updates.

It might be worth running a different make of Anti virus product on some of the client machines to make sure you are picking up everything - also check your AV definintions are up to date.
I think mcafee have a  free virus tool called stinger (you will need to google it since it's quite hard to find on the mcafee site nowadays) Stinger should be used on the client machines and will detect a lot of the major viruses that are out there at the moment.

I use sophos on my server where we have about 50 people on the network - I am very happy with this product as it updates pretty much every hour and rolls out the updates accross the network without me having to do anything.

Hope this helps!


0
 
LVL 2

Expert Comment

by:BigSi
ID: 13599818
-it's also possible the change in anti-virus product means the new one scanning a quarentine folder which the old anti virus product had created.

-Si.
0
 
LVL 20

Assisted Solution

by:nedvis
nedvis earned 1000 total points
ID: 13605678
"... The (norton AV) Corporate edition was useless in detecting viruses in the Exchange Server.  " I totaly agree with the statement.
Even if a virus was detected in message, standard NAV CE report for "Action taken" will read: LEFT ALONE .  God!!!
_____________________
I'm not at my Server currently so I can't recall exact folder name within MSExchange  but there is one that contains word "...BAD"  ( note: all uppercase) . You can safely delete all files within that particular folder.There are acctually backup copies of infected messages.
I learned the trick from ProSweep online virus scanner  ( http://www.command2.co.uk ) an excellent free handy dandy for my aging Win 2000 Small Business Server capable of scanning even all shared folder on network .
Dealing with Badmail
http://hellomate.typepad.com/exchange/2003/07/dealing_with_ba.html
Black Holes
http://hellomate.typepad.com/exchange/2003/07/black_holes_not.html
____________________

Also run Run RootKit Revealer - download it here:
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
(RootkitRevealer is an advanced patent-pending root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.  RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender.)
____________________
good luck
 nedvis
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13610810
Hi!

Just to add a note to nedvis' good advice above:
before you run "Rootkit Revealer"; change it's name to something random and
then run it - something like -domqklyuosde.exe
Some of these rootkits are being configured to block "Rootkit Revealer"!  :(
"HackerDefender" in particular.

Good luck!

RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13612653
Hi!

Well, you don't have to worry about changing "Rootkit Revealer's" name -
Sysinternals has already fixed that:
http://blogs.msdn.com/robert_hensing/archive/2005/03/23/400934.aspx

Cheers!

RF
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question