Re: Virus officexp-KB910721-FullFile-ENU.exe
- From: "Marina Roos [SBS-MVP]" <marina@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 20 Jun 2009 02:06:02 +0200
Hi Fred,
If you have the 'remove attachments' active and if that is going to
c:\program files\Exchsrvr\Attachment Quarantine, than those messages are
being dropped by exchange and won't even reach the mailboxes, thus won't
reach PureMessage.
It is the Sophos AV client that is detecting those files and giving the
warnings.
I would move the Attachment Quarantine to a dedicated place so you can also
exclude that folder from being backed up. Then I would schedule a task on
the server to regularly scan all files in that folder. Then they will be
deleted by Sophos.
--
Regards,
Marina Roos
Microsoft SBS-MVP
One of the Magical M&M's
www.smallbizserver.net
Take part in SBS forum: http://www.smallbizserver.net/Default.aspx?tabid=53
"Fred B." <h.f.b****@nemad.com> wrote in message
news:OUuDTyB8JHA.2456@xxxxxxxxxxxxxxxxxxxxxxx
Hi Duncan,
I like Sophos also and I contacted their support by email. Awaiting their
response.
But this case seems illogical. The Puremessage server is set to delete the
viral message (inbound/outbund and internal) if detected and in which case
I receive a notification by email. This morning I found a notification by
the on-access scanner. But how did officexp-KB910721-FullFile-ENU.exe make
it's way into the attachment quarantine folder of the exchange server?
Strange. I contacted all our users and none have reported receiving a
KB910721 update Outlook email message posing as Microsoft.
For forensics, how do I track a message with a certain attachment in the
exchange server? Recipient unknown, sender unknown.
We have always worked with Sophos on-access scanner on the SBS server
without any draw backs. The on-access scanner is set to clean first and if
that doesnot work, move the file to the quarantine directory. Just in case
of false positives. Furthermore we do a daily extensive scan.
Thanks in advance,
Fred
"Duncan McC" <hard@xxxxxxx> wrote in message
news:MPG.24a4dbb5d2a8021e989aaf@xxxxxxxxxxxxxxxxxxxxx
BTW, what settings do you have in Puremessage for reporting (virii etc)?
If you've not configured for email reports, the behaviour maybe entirely
normal.
I configure Puremessage to send 'admin' (IT) an email and the recipient,
and delete a virul message. I quarrantine suspicious messages only.
Why would you quarrantine a virus? - delete it.
So if it's set to quarrantine it, I guess that's what it does.
But... upon backup... the virus is detected and reported by Sophos AV
?
PS: why does your server detect a virus upon backup anyway? Do you do
realtime scanning on the Server? I've had nothing but problems doing
that, particularly on lower spec servers (services not starting
correctly is the main problem).
Per other message, please let us know what Sophos have to say, and what
they recommend, in particular settings in Puremessage.
--
Duncan
In article <eiFgKy#7JHA.3804@xxxxxxxxxxxxxxxxxxxx>, h.f.b@xxxxxxxxx
says...
We have a Sophos Puremessage scanner before our Exchange Server. This
Sophos
scanner cleans all known viruses in our email traffic. Furthermore it
puts
all suspected spam and attachments in a quarantine folder. .exe is of
course
always quarantined and never delivered to Exchange by default. I
re-checked
the Sophos configuration.
Still during a backup the Sophos on-access scanner detected:
User: DOMAIN\SBS Backup User
Scan: On-access
Machine: SBSSERVER
Virus/spyware 'Troj/Spy-CU' has been detected in
"\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy20\Program
Files\Exchsrvr\Attachment
quarantine\officexp-KB910721-FullFile-ENU.exe".
Cleanup unavailable.
The attempt to move the infected file
"\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy20\Program
Files\Exchsrvr\Attachment quarantine\officexp-KB910721-FullFile-ENU.exe"
failed due to unknown error 0x80070013.
Virus/spyware 'Troj/Spy-CU' has been detected in
"\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy20\Program
Files\Exchsrvr\Attachment
quarantine\officexp-KB910721-FullFile-ENU.exe".
Virus/spyware 'Troj/Spy-CU' has been detected in
"\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy20\Program
Files\Exchsrvr\Attachment
quarantine\officexp-KB910721-FullFile-ENU.exe".
Virus/spyware 'Troj/Spy-CU' has been detected in
"\\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy20\Program
Files\Exchsrvr\Attachment
quarantine\officexp-KB910721-FullFile-ENU.exe".
Outlook blocks by default suspicious attachements and puts them in the
quarantine folder. So it appears to have been received but that can not
be
under our config.
The question is how did this attachment get to that location by our
Exchange
server? Could it have been outbound? Can I check the Exchange logs to
see
who received or send this email?
Thanks in advance,
Fred Blum
.
- References:
- Virus officexp-KB910721-FullFile-ENU.exe
- From: Fred B.
- Re: Virus officexp-KB910721-FullFile-ENU.exe
- From: Duncan McC
- Re: Virus officexp-KB910721-FullFile-ENU.exe
- From: Fred B.
- Virus officexp-KB910721-FullFile-ENU.exe
- Prev by Date: Re: memory, SBS2K3
- Next by Date: Mlatestlaptop.blogspot.com
- Previous by thread: Re: Virus officexp-KB910721-FullFile-ENU.exe
- Next by thread: SBS 2007 time keeps running forward
- Index(es):
Relevant Pages
|
