Virus in exchange Mail Store

Posted on 2007-12-01
Last Modified: 2013-12-09
I have an Windows 2003  Server running Exchange 2003. It currently has a copy of Mcafee 8.5i running on the system with the standard exchange server folders being excluded. I have the database being indexed at night and each night I'm getting the following  Virus alert when the index starts in the following directory:


When I viewed the directory the file referenced as a virus is is still located in it.

The file C:\WINDOWS\TEMP\gthrsvc\flt428_6000.eml contains the W32/Zhelatin.gen!eml Virus. Undetermined clean error, delete failed. Detected using Scan engine version 5200.2160 DAT version
Event Type:      Error
Event Source:      McLogEvent
Event Category:      None
Event ID:      259
Date:            11/29/2007
Time:            11:45:04 PM
User:            NT AUTHORITY\SYSTEM
Computer:      EXPRESS

Some Web threads discuss excluding this folder as well from virus software, but I'm concerned that it may already be in the Mail Store amd ready to create a potential problem if left alone.

Is this an indication that I have a virus inside of the Mail Store that will need some form of Exchange aware antivirus product? Is there a way to close the mail store and repair the problem with my standard antivirus product. Should GFI Mail Security be able to catch a problem like this in a mail store. Is this just an issue with a folder that has remnants of a infected file that I just shouldn't have scaneed
Question by:livn4hymm
  • 2
  • 2
LVL 104

Expert Comment

ID: 20390920
Exchange aware AV would be the best thing to remove this, rather than having it constantly detected by McAfee desktop. Do you have a license for GroupShield? Otherwise something like GFI Mail Security should be able to clear it. What has probably happened is that the message has come in, the user has spotted it and deleted it. Alternatively any antispam software you might be running may have blocked or quarantined it.


Author Comment

ID: 20396383
Thanks for the quick resonse!

I don't have groupshield, but did find the option in GFI for Scanning the information Store.

I turned it on in GFI and can see that it found 4 or 5 files so far (Randomly over the last 24 hours. The CPU utilization jumped dramatically though so I needed to turn it off when I got in this morning because Exchange was so slow. How long should I expect it to take GFI to find all problems in the store before it should be ok to disable the store scanning or should it always be enabled?

I also requested all users to check their quarantine folders and delete anything that was captured and stored there, but is there a way to clear all quarantined folders from within Exchange?

Also, I've noticed a lot of CPU usage even since the scan was disabled. Is it possible for a virus inside of the store to infect the server. If so , what should I be looking for?
LVL 104

Accepted Solution

Sembee earned 500 total points
ID: 20396533
I don't tend to suggest store scanning is always enabled for the reasons that you have seen. Run it the other way and it will be fine.
How long it will take is like asking how long is a piece of string. Depends on the size of the store, what it finds, hardware performance etc.

There is nothing simple in Exchange to flush the quarantine. You could look at using mailbox manager. (written for Exchange 2000, but almost identical in Exchange 2003).

The only way a virus in the store could infect the server itself is if the message and then the attachment was opened on the server itself. As you cannot install Outlook on an Exchange server that would mean either POP3/IMAP or OWA being used. As long as you are careful with Exchange it is quite difficult for the actual server to get compromised.


Author Closing Comment

ID: 31412175
Thank you very much for all of the information. I will continue to run the scan in off hours to finalize the removal of whatever is causing me grief in the Mail Store. I really appreciate your help on this situation.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question