Solved

W32.Netsky.Q@mm.enc in Microsoft Small Business Server, Exchange Queue Location: How to remove?

Posted on 2008-06-16
6
287 Views
Last Modified: 2013-12-09
I have a Windows Small Business Server 2003 SR2 that has an infection from W32.Netsky.Q@mm.enc virus that has been found by Symantec Antivirus Corporate Edition. The virus can't be deleted is the problem. Antivirus attempts to delete or quarentine the infected file and both fail due to "access is denied".

The virus is in the following location:
C:\Program Files\Exchsrvr\Mailroot\vsi1\Queue\

The infected file is:
C:\Program Files\Exchsrvr\Mailroot\vsi1\Queue\NTFS_c728f24201c8cdf0000024ff.EML

Here's Symantec information about this.

http://www.symantec.com/security_response/writeup.jsp?docid=2004-033015-2404-99&tabid=1

I've followed all the instructions but in rescanning the virus does not later appear. Then a few days later it will appear as a new Symantec virus alert. It's driving me crazy that I can't seem to permanently remove and protect the server from these virus. Why isn't Symantec able to delete this... anyway.

I've also run programs like Spybot but it isn't detected in that version.

Any suggestions on what I can do to remove this virus would be really helpful.



Symantec-Notices.jpg
0
Comment
Question by:tedjpclark
  • 4
  • 2
6 Comments
 
LVL 25

Expert Comment

by:kieran_b
ID: 21798233
Step one, uninstall symantec anti-virus from the exchange server.
Step two, get an exchange aware anti-virus program.
0
 

Author Comment

by:tedjpclark
ID: 21798658
What do you recommend I use as an Exchange Aware Anti-Virus?
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21798696
If you must use Symantec, get Symantec Mail Security for Microsoft Exchange - Personally, I think most of their stuff is rubbish, and remove it everywhere i can.  That said, I think any client AV on an exchange server (non-exchange aware) has no place.

Other options are Trend Micro's suite, which I have heard a lot of good things about.

Personally, I don't use AV on Exchange servers at all - I block it at the gateway and at the client.
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 

Author Comment

by:tedjpclark
ID: 21798797
OK Thanks. I'm of like mind with Symantec, but with this server I'm unfortunately picking up what somebody else built. The office I'm supporting believes "we've got AntiVirus, we paid for Symantec", when I initially reviewed things and provided recommendations last fall. Nothing better than eventually being able to say "told you so", of course after I've had to spend hours and hours fixing this server, problem by problem.

So I'm now going through and cleaning this computer up. I'm curious, since it would help me resolve so many potential issues with this system, what do you do specifically to block virus/malware at the gateway and client? Any links or suggested reading would be appreciated. Thanks.
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 21798915
On the gateway, I will install something like GFI MailSecurity on/or an application device/server or use only an SPI compliant router which can actually catch it at the router - Sonicwalls do it, FortiGates do it - depending on the site, budget, etc.

On the client, I always use something - personally, I don't use AV, but I think it is irresponsible to expect users to get along with out it.  I have used and like AVG from GRISoft.com, I have heard good reports of McAfee and Trend Micro.
0
 
LVL 25

Accepted Solution

by:
kieran_b earned 250 total points
ID: 21798932
I will clarify a bit more about the problem as well;

What is happening is that AV infected emails are coming into your server bound for your users.  Symantec is misconfigured, but any AV app misconfigured on an Exchange server will do the same thing (particularly if it is no Exchange aware) - it is seeing the messages in the queue and trying to clean them.  Now, Exchange is working with them, and Exchange doesn't take crap from AV software, so it just locks the files and Symantec has a teary.

The real problem is, with Symantec doing that, it is only a matter of time before it upsets Exchange so much that it either corrupts messages or worse, the information store (which I have actually seen...)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now