Virus in exchange Mail Store

Posted on 2007-12-01
Last Modified: 2013-12-09
I have an Windows 2003  Server running Exchange 2003. It currently has a copy of Mcafee 8.5i running on the system with the standard exchange server folders being excluded. I have the database being indexed at night and each night I'm getting the following  Virus alert when the index starts in the following directory:


When I viewed the directory the file referenced as a virus is is still located in it.

The file C:\WINDOWS\TEMP\gthrsvc\flt428_6000.eml contains the W32/Zhelatin.gen!eml Virus. Undetermined clean error, delete failed. Detected using Scan engine version 5200.2160 DAT version
Event Type:      Error
Event Source:      McLogEvent
Event Category:      None
Event ID:      259
Date:            11/29/2007
Time:            11:45:04 PM
User:            NT AUTHORITY\SYSTEM
Computer:      EXPRESS

Some Web threads discuss excluding this folder as well from virus software, but I'm concerned that it may already be in the Mail Store amd ready to create a potential problem if left alone.

Is this an indication that I have a virus inside of the Mail Store that will need some form of Exchange aware antivirus product? Is there a way to close the mail store and repair the problem with my standard antivirus product. Should GFI Mail Security be able to catch a problem like this in a mail store. Is this just an issue with a folder that has remnants of a infected file that I just shouldn't have scaneed
Question by:livn4hymm
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 104

Expert Comment

ID: 20390920
Exchange aware AV would be the best thing to remove this, rather than having it constantly detected by McAfee desktop. Do you have a license for GroupShield? Otherwise something like GFI Mail Security should be able to clear it. What has probably happened is that the message has come in, the user has spotted it and deleted it. Alternatively any antispam software you might be running may have blocked or quarantined it.


Author Comment

ID: 20396383
Thanks for the quick resonse!

I don't have groupshield, but did find the option in GFI for Scanning the information Store.

I turned it on in GFI and can see that it found 4 or 5 files so far (Randomly over the last 24 hours. The CPU utilization jumped dramatically though so I needed to turn it off when I got in this morning because Exchange was so slow. How long should I expect it to take GFI to find all problems in the store before it should be ok to disable the store scanning or should it always be enabled?

I also requested all users to check their quarantine folders and delete anything that was captured and stored there, but is there a way to clear all quarantined folders from within Exchange?

Also, I've noticed a lot of CPU usage even since the scan was disabled. Is it possible for a virus inside of the store to infect the server. If so , what should I be looking for?
LVL 104

Accepted Solution

Sembee earned 500 total points
ID: 20396533
I don't tend to suggest store scanning is always enabled for the reasons that you have seen. Run it the other way and it will be fine.
How long it will take is like asking how long is a piece of string. Depends on the size of the store, what it finds, hardware performance etc.

There is nothing simple in Exchange to flush the quarantine. You could look at using mailbox manager. (written for Exchange 2000, but almost identical in Exchange 2003).

The only way a virus in the store could infect the server itself is if the message and then the attachment was opened on the server itself. As you cannot install Outlook on an Exchange server that would mean either POP3/IMAP or OWA being used. As long as you are careful with Exchange it is quite difficult for the actual server to get compromised.


Author Closing Comment

ID: 31412175
Thank you very much for all of the information. I will continue to run the scan in off hours to finalize the removal of whatever is causing me grief in the Mail Store. I really appreciate your help on this situation.

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question