Re: Frustrated with Trend CSM!

From: Les Connor [SBS MVP] (les.connor_at_DEL.cfive.ca)
Date: 08/09/04 

Date: Mon, 9 Aug 2004 11:13:57 -0500

Chester,

I suspect the Officescan (file space A/V) component may be scanning the
Exchange folder(s) and/or database. You must exclude them from Officescan,
on the server.

<snip>
1. In the CSM console, click on the Clients view so you can see the
Officescan 'domain'. Your SBS will be listed there.
2. Create a new Officescan 'domain', and move your SBS computer to the new
domain. The original domain will be used for workstations.
3. Click on your SBS computer icon, and set the client priveliges to your
liking.
4. Click on Scan options | Real time Scan settings, and find the Exclusions
link.
5. Put <drive> pagefile.sys in the lower 'file' exclusion list.
6. Put <these are default locations> c:\Program files\exchsrvr, \trend,
\trend micro in the directory exclusion area. Note that if you have moved
your exchange data and or logs somewhere, be sure to exclude them. Note also
you can be more granular with your exclusions if you want - you don't have
to exclude the entire directory. Another note - there is a tick box for
excluding Trend product directories, but I do it manually anyway. Yet
another note - On all screens make sure you APPLY the settings by scrolling
down to the bottom and clicking the button.

What you've done with the two Officescan 'domains', is enabled different
settings for the server versus the clients. Now when you add client
machines, you can set the options on that domain (rather than each
workstation) so they apply to all workstations, but not the server. Sometime
<endsnip> 

-- 
Les Connor [SBS MVP]
-------------------------------------
SBS Rocks !
"Chester" <chester@NOSPAMprosoundusa.com> wrote in message
news:ueffgnifEHA.2908@TK2MSFTNGP10.phx.gbl...
> Thanks Phil, Lanwench, and Merv,
>
> I did check the log, and what bothers me is there are several messages
like
> "Virus successfully detected, but infected file can neither be cleaned nor
> quarantined"
> and the other one that bugs me is "See scan result in compressed file :
> NTFS_5131bc4801c47be600000235.EML"
>
> The details show the virus name and things, but should I worry about
these?
> The log shows the path as being to the ..\Queue, but of course, they are
> gone from there now.
>
> Sorry if this all sounds elementary, I'm trying to get my head wrapped
> around the security issues here.
>
> Thanks for the help!
>
> Chester
> "Phil" <phil@phil.com> wrote in message
> news:O9IhSWifEHA.2812@tk2msftngp13.phx.gbl...
> > Chester,
> >
> > See reply inline
> >
> > Thanks,
> > Phil
> >
> > "Chester" <chester@NOSPAMprosoundusa.com> wrote in message
> > news:%23697P0$eEHA.3988@tk2msftngp13.phx.gbl...
> > > I have torn out my hair trying to understand how this program works. I
> > guess
> > > I've just missed the boat on this one.
> > >
> > > 1. Installed the program several months ago, and got it set to check
for
> > > updates hourly
> > > 2. Installed the clients at the same time, and everything came up
clean.
> > >
> > > Now, when I look at the console on the server, it keeps telling me
that
> > the
> > > server has 50 infected files, and that one of the clients has 1
infected
> > > file. So I use the "Damage Cleanup Service" on the server and on the
> > client,
> > > and NOTHING CHANGES!!! They DCS reports "no malware found" and when I
do
> a
> > > manual scan, it reports "No viruses found!" What is UP!?!?! Why can't
I
> > > grasp this!?!
> >
> > DCS only cleans up a computer that is actually infected.  You need to
> check
> > the virus log for the clients/server that is infected and see what
action
> > has been taken.  If they have been quarantined or deleted, then you have
> > nothing to worry about.  The status (the PC on fire icon) is associated
> with
> > the number of viruses that the computer has encountered and does not
> > necessarily mean that the computer is currently infected. (That's why
you
> > need to check the virus logs)  If you'd like to be able to track the
> number
> > of viruses and the source, etc. on the summary page, you need to leave
> > everything as is.  However if seeing the PC on fire icons are really
> > bothering you, you must view the status of the client and click "Reset
> Virus
> > Count", or if there is more than one select the domain and click "Reset
> > Virus Count".
> >
> > >
> > > Any help from someone with Trend CSM would be VERY much appreciated.
> > >
> > > The reason I'm sure we have a virus is because we keep getting virus
> > > notifications in our email from the server saying it has removed an
> > > attachment. The strange thing is, those emails (which are being routed
> to
> > > the users Junk Mail folder) are now showing as coming from people we
> know
> > > and communicate with, but those people are not sending us email!
> > >
> >
> > Someone is spoofing their addresses.  I had someone internally here get
> > spoofed and the email got sent to another user here which caused a
little
> > confusion for them.  As long as the viruses are getting cleaned or
removed
> I
> > would not worry about it.
> >
> > > Thanks for your help!
> > > 3.
> > >
> > >
> >
> >
>
>