Solved

Virus in exchange Mail Store

Posted on 2007-12-01
4
1,838 Views
Last Modified: 2013-12-09
I have an Windows 2003  Server running Exchange 2003. It currently has a copy of Mcafee 8.5i running on the system with the standard exchange server folders being excluded. I have the database being indexed at night and each night I'm getting the following  Virus alert when the index starts in the following directory:

C:\WINDOWS\TEMP\gthrsvc

When I viewed the directory the file referenced as a virus is is still located in it.

The file C:\WINDOWS\TEMP\gthrsvc\flt428_6000.eml contains the W32/Zhelatin.gen!eml Virus. Undetermined clean error, delete failed. Detected using Scan engine version 5200.2160 DAT version
5174.0000.
Event Type:      Error
Event Source:      McLogEvent
Event Category:      None
Event ID:      259
Date:            11/29/2007
Time:            11:45:04 PM
User:            NT AUTHORITY\SYSTEM
Computer:      EXPRESS
Description:


Some Web threads discuss excluding this folder as well from virus software, but I'm concerned that it may already be in the Mail Store amd ready to create a potential problem if left alone.

Is this an indication that I have a virus inside of the Mail Store that will need some form of Exchange aware antivirus product? Is there a way to close the mail store and repair the problem with my standard antivirus product. Should GFI Mail Security be able to catch a problem like this in a mail store. Is this just an issue with a folder that has remnants of a infected file that I just shouldn't have scaneed
 
0
Comment
Question by:livn4hymm
  • 2
  • 2
4 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 20390920
Exchange aware AV would be the best thing to remove this, rather than having it constantly detected by McAfee desktop. Do you have a license for GroupShield? Otherwise something like GFI Mail Security should be able to clear it. What has probably happened is that the message has come in, the user has spotted it and deleted it. Alternatively any antispam software you might be running may have blocked or quarantined it.

Simon.
0
 

Author Comment

by:livn4hymm
ID: 20396383
Thanks for the quick resonse!

I don't have groupshield, but did find the option in GFI for Scanning the information Store.

I turned it on in GFI and can see that it found 4 or 5 files so far (Randomly over the last 24 hours. The CPU utilization jumped dramatically though so I needed to turn it off when I got in this morning because Exchange was so slow. How long should I expect it to take GFI to find all problems in the store before it should be ok to disable the store scanning or should it always be enabled?

I also requested all users to check their quarantine folders and delete anything that was captured and stored there, but is there a way to clear all quarantined folders from within Exchange?

Also, I've noticed a lot of CPU usage even since the scan was disabled. Is it possible for a virus inside of the store to infect the server. If so , what should I be looking for?
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 20396533
I don't tend to suggest store scanning is always enabled for the reasons that you have seen. Run it the other way and it will be fine.
How long it will take is like asking how long is a piece of string. Depends on the size of the store, what it finds, hardware performance etc.

There is nothing simple in Exchange to flush the quarantine. You could look at using mailbox manager.
http://support.microsoft.com/default.aspx?kbid=319188
http://www.msexchange.org/tutorials/MF012.html (written for Exchange 2000, but almost identical in Exchange 2003).

The only way a virus in the store could infect the server itself is if the message and then the attachment was opened on the server itself. As you cannot install Outlook on an Exchange server that would mean either POP3/IMAP or OWA being used. As long as you are careful with Exchange it is quite difficult for the actual server to get compromised.

Simon.
0
 

Author Closing Comment

by:livn4hymm
ID: 31412175
Thank you very much for all of the information. I will continue to run the scan in off hours to finalize the removal of whatever is causing me grief in the Mail Store. I really appreciate your help on this situation.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now