virus alerts on exchange server 2k
From: Aaron Browne (aaronsolutions_at_eircom.net)
Date: 07/21/04
- Next message: anonymous_at_discussions.microsoft.com: "strange receipient policy problem?"
- Previous message: Keith: "Setting NDR Address?"
- In reply to: sphilip: "virus alerts on exchange server 2k"
- Next in thread: Peter Lawton: "Re: virus alerts on exchange server 2k"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 21 Jul 2004 04:06:03 -0700
>-----Original Message-----
>im having exchange server 2000 with the latest
>SP.........we are using Symantec AntiVirus version 8.0 &
>also use Symantec Antivirus Filter Version 3.0, which are
>updated daily, for protecting the server against virus
>attacks.
>
>from the last 3 weeks i have been noticing virus alerts as
>
>1. W32.Netsky.P@mm! enc
>2. W32.Erkez.B@mm
>3. W32.MyDoom.L@mm
>
>all of which are located in the folder "BADMAIL". and
most
>of them cannot be repaired or quarantined and
have "ACCESS
>DENIED" status.
I have had simalar problem where I had to boot into safe
mode in oder to delete these files.
>
>when i run the respective removal tools which i
downloaded
>from the Symantec website, it gives me a message telling
>that these werent found on my server.
That would be correct if you have your anitvirus up-to-
date it would of stoped the file from process what is
called a payroll. The payroll is the intructions the
attacker has programed into this file the infect your pc
and run tasks like key logging, email address spoofing and
it would use all email address's it finds to send out a
varient of itself.
>
>but i also noticed that large scale emailing between 4
>users, just 4 users.
try running the symantec website to detect the infection
on the users the you are see the large scale mailing.
>
>also i noticed a weird behaviour, large scale emailing
>from an x-employee email address that was deleted the day
>he left office. can somone give me an explanantion for
>this. how does this email address exist even after
>deleting it about 6 months back.
Check in exchange manager to see if your mailbox cleanup
wizard has removed the user totally from your system. Also
check your recipient list in exchange manager to see if
the x-employee's address still exsists.
>
>& how do i stop these viruses from actually getting into
>the "BADMAIL" folder, is there a way to stop it. how do i
>actually know if my server is infected. & if so how do i
>clean it.
Fist use the symantec web site to scan and detect. Make
sure all your pacth levels are up-to-date. An easy way to
do this is to use the windows update tool.
The BADMAIL folder has to stay because it is a kind of a
quarantine. Any mail that the symantec software detects as
a bad email goes there.
Please insure to keep your SP and critical updates for
windows up-to-date!!!!
Mail me and I will support you.
I am not an expert but I used exchange alot in a number of
SME companies. I am currently working on a system with
almost 100 users that is big to me.
>
>Please advice.
>
>
>.
>
- Next message: anonymous_at_discussions.microsoft.com: "strange receipient policy problem?"
- Previous message: Keith: "Setting NDR Address?"
- In reply to: sphilip: "virus alerts on exchange server 2k"
- Next in thread: Peter Lawton: "Re: virus alerts on exchange server 2k"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
