Re: Virus Warning in ShadowCopy

How is email processed in a network with ScanMail for Exchange and eManager?
http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=4755&q=order+of+processing&qp=&qt=order+of+processing&qs=&r=19&c=4755&sort=0

Looks like email is checked for spam first and then, if not deleted or
quarantined, forwarded to Scanmail for virus checking. Not sure how to
change this to make sure quarantined spam is also checked for viruses.

--
Merv Porter [SBS MVP]
===================================
"David Elders" <david_elders@xxxxxxxxxxxxxxxxxx> wrote in message
news:uYhbAIC9FHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
> Hmmm...
>
> I had a similar thing with Trend CSM v2 fairly recently. Pretty
> intermittent but the really strange thing was that we've NEVER set Trend
> to quarantine virus-laden mail - its set to delete immediately. However,
> we did have Trend set to Quarantine spam emails so is it likely that the
> spam filter was kicking in before the Virus check and that it was only
> when the real-time scan caught it during VSS that it was noted as having a
> virus?
>
> In case its relevant, our mail is POP3 rather than SMTP [although that
> will be changing later this month]
>
> If so, what's the easiest way around this?
>
> Regards,
>
>
> David
>
>
>
> "Merv Porter [SBS-MVP]" <mwport@xxxxxxxxxxxxxxxxxxx> wrote in message
> news:uLrEeEC9FHA.740@xxxxxxxxxxxxxxxxxxxxxxx
>> Maybe something along these lines...
>>
>> It looks like you have Volume Shadow Copy turned on for the drive or
>> partition that contain the Trend Micro Quarantine folders and you've got
>> Trend Scanmail set to quarantine viruses that it cannot delete. When
>> Trend finds an email with a virus that it can't delete, it quarantines
>> the message in a special folder located at \Program
>> Files\Trend\SMCF\Quarantine\<folder date>\<folder hour (24 hour clock)>
>>
>> Then when Shadow Copy kicks in, the Trend Realtime scan notices the virus
>> again in the Trend folder and throws the virus alert you're seeing.
>>
>> You can locate and delete the infected email in the Trend Quarantine
>> folder to eliminate the alert on future shadow copy runs.
>>
>> --
>> Merv Porter [SBS MVP]
>> ===================================
>> "Franz Leu" <franz.leu@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:%23E7ymmA9FHA.740@xxxxxxxxxxxxxxxxxxxxxxx
>>> Hi
>>>
>>> Could somebody help in how a virus can get into ShadowCopy and how to
>>> remove?
>>>
>>> Thanks
>>> Franz
>>> <snip>
>>>
>>> Virus Alert!!
>>>
>>> WORM_SOBER.AG is detected on SERVER1(Administrator) in Norfolk server
>>> domain.
>>>
>>> Infected file: \Device\HarddiskVolumeShadowCopy95\Program
>>> Files\Trend\SMCF\Quarantine\2005-11-25\16\07\Message438728a7d7ab.original_eml_
>>> (File-packed_dataInfo.exe) Detection date: 2005.11.28 11:27:00
>>>
>>> Action: Virus successfully detected, cannot perform the Clean action
>>> (Virus successfully detected, cannot perform the Quarantine action)
>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: Trend CSM 3.0 beta suggestions, please!
    ... Hypothetically speaking, if a Trend project manager were to ... if that person were to ask for reasons to bring back the server-side ... quarantine, what you would say? ... totally does away with the point of spam filtering in the first place - ...
    (microsoft.public.windows.server.sbs)
  • Re: Why do I get replies to DSNs?
    ... marked as spam or containing a virus - the advantage of milter filters is typically to return an error coce at the end of the DATA transaction, without the need of sending anything. ... And once you accepted the message (spam, virus or any non-deliverable message) after the DATA transaction, you are responsible for it. ... I get a lot of replies to DSNs. ... simply not check the quarantine folder at all, and the sender will never know that his message wasn't read. ...
    (comp.mail.sendmail)
  • Re: Virus Warning in ShadowCopy
    ... forwarded to Scanmail for virus checking. ... >> I had a similar thing with Trend CSM v2 fairly recently. ... >>> partition that contain the Trend Micro Quarantine folders and you've got ... >>> virus again in the Trend folder and throws the virus alert you're ...
    (microsoft.public.windows.server.sbs)
  • Re: Virus Warning in ShadowCopy
    ... I had a similar thing with Trend CSM v2 fairly recently. ... but the really strange thing was that we've NEVER set Trend to quarantine ... scan caught it during VSS that it was noted as having a virus? ... > again in the Trend folder and throws the virus alert you're seeing. ...
    (microsoft.public.windows.server.sbs)
  • Re: Virus Warning in ShadowCopy
    ... partition that contain the Trend Micro Quarantine folders and you've got ... Trend Scanmail set to quarantine viruses that it cannot delete. ... Then when Shadow Copy kicks in, the Trend Realtime scan notices the virus ...
    (microsoft.public.windows.server.sbs)
Loading