Re: Ongoing Virus problem

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 08/30/04 

Date: Mon, 30 Aug 2004 18:46:47 -0400

susan wrote:
> I'm having a problem in that we receive 5-15 virus infected emails
> every day. Yes, I do have antivirus and sometimes it strips the
> attachment and sometimes it doesn't (eTrust antivirus by CA).
> Sometimes the virus identified is Netsky.P and sometimes Netsky.C and
> i've had a few id'd as Netsky.Z -- some say "trojan", some say "worm"
> !
>
> I have virus scanned (and online scanned using Symantec's online
> scanner) every workstation, laptop and the server (except exchange of
> course) and can find NOTHING! I've researched the virus'es and know
> what to look for in the registry etc. and find nothing indicating
> infection at any station.
>
> These infected emails sometimes have a "sender" address that is
> familiar, but most often not.
>
> I check the headers and what's puzzling is that they read: sent from
> "mydomain.org" received by "mail.mydomain.org".... does this
> automatically mean that they are happening WITHIN the network??? The
> ip address of the supposed "sender" is not a valid internal address,
> but i realize all this stuff could be spoofed...

It's likely spoofed. Read the Internet headers for the message. If there's
anything in there, it's from the Internet.
Got SP1 installed?

>
> I'm puzzled and don't know what else to do. I just have to find out
> what I can do about this as babysitting the mail is tiring.

I think you ought to take a good hard look at your antivirus software and
see why it isn't catching this stuff. NB: I am not a CA fan and avoid their
software entirely nowadays - much prefer other products. But even with your
current sw, you ought not to be having this problem. Are you blocking all
potentially dangerous file attachment types? (better to do this in your AV
sw than in SBS). See
http://www.swinc.com/resources/exchange/faq_db.asp?status=questions&faqID=1000&faqname=Exchange%205.5&sectionID=1017&sectionName=Martin%20Blackstone's%20List%20of%20Danger
(mind link wrap) for a good place to start.
Also make sure your AV software is updating as often as possible. I have
Scanmail/Officescan set to check for updates *hourly*.
>
> Any ideas, suggestions, advice??

Relevant Pages

  • Re: [Full-Disclosure] Multiple AV Vendors ignoring tar.gz archives
    ... firewalling and virus protection are done ... antivirus software at all, and yet in the case of .tar.gz and .tar.bz2 ... writers would be slow to react to viruses transmitted inside archives ... > some modestly common archive type is a terrible flaw in a scanner. ...
    (Full-Disclosure)
  • Re: Trojan Horse virus
    ... of whatever antivirus you're using. ... I'd also recommend going to the virus ... antivirus manufacturer or to another antivirus manufacturer for a second ... opinion or scanning the file with another antivirus scanner might also give ...
    (microsoft.public.win2000.security)
  • Re: Avast or Norton. Who should I trust?
    ... It said I had a virus, Norton 2009 finds no such virus. ... this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. ... F-Prot Antivirus Found nothing ...
    (alt.comp.anti-virus)
  • Re: Mystery process
    ... > I also tried a system restore, but can't do a restore either. ... > online virus scan at one of the following sites: ... Some other applications to try for ANTIVIRUS and SPYWARE elimination can be ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: Anti-spy wear
    ... had a Norton Antivirus alert that tells me it has detected a virus and is ... I have been on MSN since it came out in year ... Any threats around and we can take care of it. ...
    (microsoft.public.security)
Loading