Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Virus in exchange Mail Store

Posted on 2007-12-01
Medium Priority
Last Modified: 2013-12-09
I have an Windows 2003  Server running Exchange 2003. It currently has a copy of Mcafee 8.5i running on the system with the standard exchange server folders being excluded. I have the database being indexed at night and each night I'm getting the following  Virus alert when the index starts in the following directory:


When I viewed the directory the file referenced as a virus is is still located in it.

The file C:\WINDOWS\TEMP\gthrsvc\flt428_6000.eml contains the W32/Zhelatin.gen!eml Virus. Undetermined clean error, delete failed. Detected using Scan engine version 5200.2160 DAT version
Event Type:      Error
Event Source:      McLogEvent
Event Category:      None
Event ID:      259
Date:            11/29/2007
Time:            11:45:04 PM
User:            NT AUTHORITY\SYSTEM
Computer:      EXPRESS

Some Web threads discuss excluding this folder as well from virus software, but I'm concerned that it may already be in the Mail Store amd ready to create a potential problem if left alone.

Is this an indication that I have a virus inside of the Mail Store that will need some form of Exchange aware antivirus product? Is there a way to close the mail store and repair the problem with my standard antivirus product. Should GFI Mail Security be able to catch a problem like this in a mail store. Is this just an issue with a folder that has remnants of a infected file that I just shouldn't have scaneed
Question by:livn4hymm
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 104

Expert Comment

ID: 20390920
Exchange aware AV would be the best thing to remove this, rather than having it constantly detected by McAfee desktop. Do you have a license for GroupShield? Otherwise something like GFI Mail Security should be able to clear it. What has probably happened is that the message has come in, the user has spotted it and deleted it. Alternatively any antispam software you might be running may have blocked or quarantined it.


Author Comment

ID: 20396383
Thanks for the quick resonse!

I don't have groupshield, but did find the option in GFI for Scanning the information Store.

I turned it on in GFI and can see that it found 4 or 5 files so far (Randomly over the last 24 hours. The CPU utilization jumped dramatically though so I needed to turn it off when I got in this morning because Exchange was so slow. How long should I expect it to take GFI to find all problems in the store before it should be ok to disable the store scanning or should it always be enabled?

I also requested all users to check their quarantine folders and delete anything that was captured and stored there, but is there a way to clear all quarantined folders from within Exchange?

Also, I've noticed a lot of CPU usage even since the scan was disabled. Is it possible for a virus inside of the store to infect the server. If so , what should I be looking for?
LVL 104

Accepted Solution

Sembee earned 2000 total points
ID: 20396533
I don't tend to suggest store scanning is always enabled for the reasons that you have seen. Run it the other way and it will be fine.
How long it will take is like asking how long is a piece of string. Depends on the size of the store, what it finds, hardware performance etc.

There is nothing simple in Exchange to flush the quarantine. You could look at using mailbox manager. (written for Exchange 2000, but almost identical in Exchange 2003).

The only way a virus in the store could infect the server itself is if the message and then the attachment was opened on the server itself. As you cannot install Outlook on an Exchange server that would mean either POP3/IMAP or OWA being used. As long as you are careful with Exchange it is quite difficult for the actual server to get compromised.


Author Closing Comment

ID: 31412175
Thank you very much for all of the information. I will continue to run the scan in off hours to finalize the removal of whatever is causing me grief in the Mail Store. I really appreciate your help on this situation.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question