Virus in exchange Mail Store

I have an Windows 2003  Server running Exchange 2003. It currently has a copy of Mcafee 8.5i running on the system with the standard exchange server folders being excluded. I have the database being indexed at night and each night I'm getting the following  Virus alert when the index starts in the following directory:


When I viewed the directory the file referenced as a virus is is still located in it.

The file C:\WINDOWS\TEMP\gthrsvc\flt428_6000.eml contains the W32/Zhelatin.gen!eml Virus. Undetermined clean error, delete failed. Detected using Scan engine version 5200.2160 DAT version
Event Type:      Error
Event Source:      McLogEvent
Event Category:      None
Event ID:      259
Date:            11/29/2007
Time:            11:45:04 PM
User:            NT AUTHORITY\SYSTEM
Computer:      EXPRESS

Some Web threads discuss excluding this folder as well from virus software, but I'm concerned that it may already be in the Mail Store amd ready to create a potential problem if left alone.

Is this an indication that I have a virus inside of the Mail Store that will need some form of Exchange aware antivirus product? Is there a way to close the mail store and repair the problem with my standard antivirus product. Should GFI Mail Security be able to catch a problem like this in a mail store. Is this just an issue with a folder that has remnants of a infected file that I just shouldn't have scaneed
Who is Participating?
SembeeConnect With a Mentor Commented:
I don't tend to suggest store scanning is always enabled for the reasons that you have seen. Run it the other way and it will be fine.
How long it will take is like asking how long is a piece of string. Depends on the size of the store, what it finds, hardware performance etc.

There is nothing simple in Exchange to flush the quarantine. You could look at using mailbox manager. (written for Exchange 2000, but almost identical in Exchange 2003).

The only way a virus in the store could infect the server itself is if the message and then the attachment was opened on the server itself. As you cannot install Outlook on an Exchange server that would mean either POP3/IMAP or OWA being used. As long as you are careful with Exchange it is quite difficult for the actual server to get compromised.

Exchange aware AV would be the best thing to remove this, rather than having it constantly detected by McAfee desktop. Do you have a license for GroupShield? Otherwise something like GFI Mail Security should be able to clear it. What has probably happened is that the message has come in, the user has spotted it and deleted it. Alternatively any antispam software you might be running may have blocked or quarantined it.

livn4hymmAuthor Commented:
Thanks for the quick resonse!

I don't have groupshield, but did find the option in GFI for Scanning the information Store.

I turned it on in GFI and can see that it found 4 or 5 files so far (Randomly over the last 24 hours. The CPU utilization jumped dramatically though so I needed to turn it off when I got in this morning because Exchange was so slow. How long should I expect it to take GFI to find all problems in the store before it should be ok to disable the store scanning or should it always be enabled?

I also requested all users to check their quarantine folders and delete anything that was captured and stored there, but is there a way to clear all quarantined folders from within Exchange?

Also, I've noticed a lot of CPU usage even since the scan was disabled. Is it possible for a virus inside of the store to infect the server. If so , what should I be looking for?
livn4hymmAuthor Commented:
Thank you very much for all of the information. I will continue to run the scan in off hours to finalize the removal of whatever is causing me grief in the Mail Store. I really appreciate your help on this situation.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.