ethernet69
asked on
Virus Clean-up issues
Hi-
A few weeks ago, one of my clients' Win2K3 SBS server (running Exchange 2003) got infected with a virus (they had ignored my pleas for installing A/V software, so it never got done. Lo and behold, they finally got a virus infection...go figure!). Of course, your truly was left to clean up the mess, but that's why they hired me in the first place. It took a long time, and I don't know the name of the virus, since it ran on the server undetected, even AFTER installing A/V software with updated vdefs, and running multiple scans. However, I eventually located the offending EXE (it was a re-generating mutex), and was eventually able to kill it using a tool called "KillBox." This trojan had turned the server into a spamming Zombie [server] and was sending out thousands of spam messages at once. My client is not totally convinced that the server is totally clean, in part because every night around 10-11PM the Exchange information store (store.exe) process runs a higher RAM utilitzation, which triggers an e-mail event to us (the administrators) - this time of day was usually when the trojan would kick-up its spam-sending activity before we "cleaned" it. below is the Alert message that is send nightly:
"Alert on <servername> at 10/28/2006 11:10:10 PM
The store.exe process is allocating more memory than usual.
Check to see if you are having problems with e-mail. If so, stop and then restart the Microsoft Exchange Information Store service.
You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad."
Ok, after all that "background" information, here's my ACTUAL question:
Do you know of a utility (Microsoft OR third-party) that can create a report of the number of outbound messages on an hourly schedule, and possibly show me the outbound message numbers over the past 24 hours, to where we can see a trend in elevation of the outbound mail queue. I would like to see if there are message spikes at certain times of the day.
Any help would be greatly appreciated.
Thanks,
Brian
A few weeks ago, one of my clients' Win2K3 SBS server (running Exchange 2003) got infected with a virus (they had ignored my pleas for installing A/V software, so it never got done. Lo and behold, they finally got a virus infection...go figure!). Of course, your truly was left to clean up the mess, but that's why they hired me in the first place. It took a long time, and I don't know the name of the virus, since it ran on the server undetected, even AFTER installing A/V software with updated vdefs, and running multiple scans. However, I eventually located the offending EXE (it was a re-generating mutex), and was eventually able to kill it using a tool called "KillBox." This trojan had turned the server into a spamming Zombie [server] and was sending out thousands of spam messages at once. My client is not totally convinced that the server is totally clean, in part because every night around 10-11PM the Exchange information store (store.exe) process runs a higher RAM utilitzation, which triggers an e-mail event to us (the administrators) - this time of day was usually when the trojan would kick-up its spam-sending activity before we "cleaned" it. below is the Alert message that is send nightly:
"Alert on <servername> at 10/28/2006 11:10:10 PM
The store.exe process is allocating more memory than usual.
Check to see if you are having problems with e-mail. If so, stop and then restart the Microsoft Exchange Information Store service.
You can disable this alert or change its threshold by using the Change Alert Notifications task in the Server Management Monitoring and Reporting taskpad."
Ok, after all that "background" information, here's my ACTUAL question:
Do you know of a utility (Microsoft OR third-party) that can create a report of the number of outbound messages on an hourly schedule, and possibly show me the outbound message numbers over the past 24 hours, to where we can see a trend in elevation of the outbound mail queue. I would like to see if there are message spikes at certain times of the day.
Any help would be greatly appreciated.
Thanks,
Brian
ASKER
Simon-
I don't want to do message tracking, but rather I want to check the 'state' of the SMTP queue - I checked SBS reporting, but found nothing obvious in the Performance/Usage reports section that would show what I want to know :-(
Brian
I don't want to do message tracking, but rather I want to check the 'state' of the SMTP queue - I checked SBS reporting, but found nothing obvious in the Performance/Usage reports section that would show what I want to know :-(
Brian
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Otherwise you could enable Message Tracking and then run some processes against the logs it processes.
http://www.amset.info/exchange/message-tracking.asp
However I would start with the built in reporting and see what that says.
Simon.