Gandalf-LoJ
January 17th, 2007, 02:17 PM
Hey there,
We're trialling NOD32 for Microsoft Exchange on our Small Business Server 2003 system that was running Trend CMS.
However we have a little issue with XMON. I've been in contact with support and they are helping but are scratching their heads a bit and suggested a post here while they investigate further.
Here is the run of events and what happens;
Trend fully un-installed via add-remove programs - server rebooted twice.
NOD install using this PDF as a guide: http://www.eset.co.uk/support/eexmssbsman.pdf
Now, that PDF, I deviated a little as on page 6, the part about specifying the server update address port uses 8081 as a default. On SBS this port is used by SharePoint Central Administration so cannot be used for the update server. So this was changed to 8088, then the rest of the document was followed.
AMON is chugging away nicely (I've added all of the exclusions recommended in the PDF as well as some additions that Microsoft recommend too) However I noticed that XMON was showing 0 for scanned, infected and cleaned files in the status monitor. So I started to do some tests.
I done a mailserver test courtesy of GFI and they sent loads of emails with various vunerabilities and several with the eicar test virus. These were not picked up via XMON however the client side outlook plugin caught three of the eicar viruses. Not good.
XMON does look like it's all installed fine, xmon.dll is hooked into store.exe when I check it out via process explorer and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan shows that xmon.dll is the Library that is being used for the VSAPI.
It was then that I got onto support. They came back with these suggestions;
{QUOTE->
Unfortunately I have never come across this problem with XMON before, so I’m a little mystified by it. What OS is the server running, and what level of Exchange service pack? Also is XMON shown as blue in Control Centre?
I would also check in XMON setup that ‘background scanning’ and ‘proactive scanning’ are ticked, and also that at least ‘signatures’ is ticked in the Detection section. Also do you have any other apps installed which might use the VSAPI , e.g. GFI MailEssentials ?
<-QUOTE}
My reply;
{QUOTE->
Thanks for the reply. Server OS. This is Windows Server 2003 for Small Business Server. This is running SP1
Exchange is Version 6.5 (Build 7638.2: SP2)
XMON is shown as blue in the control center, I've tried disabling then re-enabling too. Scanner properties are Background, Proactive and RTF Message bodies. Detection has everything apart from the dangerous applications.
That is a good question about other apps. We do indeed use GFI MailEssentials for Spam control. I never thought that this would affect anything as it was running happily with Trend CSM and is purely used for anti spam and their list server. <-QUOTE}
Back from support;
{QUOTE->
Thanks for the information – I’ve done a bit more investigating and apparently XMON should work fine with GFI Mail Essentials, but NOT with their Mail Security product.
Just to be sure, I guess it might be worth disabling Mail Essentials temporarily, just to rule it out.
Can you also make sure that the Exchsrvr folder is excluded in AMON Setup, and check that ‘scan all files’ is ticked in XMON Setup (in the Extensions bit).
<-QUOTE}
and my reply;
{QUOTE->
I temporarily disabled Mail Essentials but no joy there. It's still not catching test emails. The Exchsrvr folder along with the other recommended folders are excluded from AMON scanning and scan all files is ticked in the XMON setup.
<-QUOTE}
And the final mail from them is requesting some registry info and to also post up here to see if anyone has any ideas! Hopefully the emails above will show you the steps already taken and may assist in diagnosing the problem further.
We're trialling NOD32 for Microsoft Exchange on our Small Business Server 2003 system that was running Trend CMS.
However we have a little issue with XMON. I've been in contact with support and they are helping but are scratching their heads a bit and suggested a post here while they investigate further.
Here is the run of events and what happens;
Trend fully un-installed via add-remove programs - server rebooted twice.
NOD install using this PDF as a guide: http://www.eset.co.uk/support/eexmssbsman.pdf
Now, that PDF, I deviated a little as on page 6, the part about specifying the server update address port uses 8081 as a default. On SBS this port is used by SharePoint Central Administration so cannot be used for the update server. So this was changed to 8088, then the rest of the document was followed.
AMON is chugging away nicely (I've added all of the exclusions recommended in the PDF as well as some additions that Microsoft recommend too) However I noticed that XMON was showing 0 for scanned, infected and cleaned files in the status monitor. So I started to do some tests.
I done a mailserver test courtesy of GFI and they sent loads of emails with various vunerabilities and several with the eicar test virus. These were not picked up via XMON however the client side outlook plugin caught three of the eicar viruses. Not good.
XMON does look like it's all installed fine, xmon.dll is hooked into store.exe when I check it out via process explorer and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan shows that xmon.dll is the Library that is being used for the VSAPI.
It was then that I got onto support. They came back with these suggestions;
{QUOTE->
Unfortunately I have never come across this problem with XMON before, so I’m a little mystified by it. What OS is the server running, and what level of Exchange service pack? Also is XMON shown as blue in Control Centre?
I would also check in XMON setup that ‘background scanning’ and ‘proactive scanning’ are ticked, and also that at least ‘signatures’ is ticked in the Detection section. Also do you have any other apps installed which might use the VSAPI , e.g. GFI MailEssentials ?
<-QUOTE}
My reply;
{QUOTE->
Thanks for the reply. Server OS. This is Windows Server 2003 for Small Business Server. This is running SP1
Exchange is Version 6.5 (Build 7638.2: SP2)
XMON is shown as blue in the control center, I've tried disabling then re-enabling too. Scanner properties are Background, Proactive and RTF Message bodies. Detection has everything apart from the dangerous applications.
That is a good question about other apps. We do indeed use GFI MailEssentials for Spam control. I never thought that this would affect anything as it was running happily with Trend CSM and is purely used for anti spam and their list server. <-QUOTE}
Back from support;
{QUOTE->
Thanks for the information – I’ve done a bit more investigating and apparently XMON should work fine with GFI Mail Essentials, but NOT with their Mail Security product.
Just to be sure, I guess it might be worth disabling Mail Essentials temporarily, just to rule it out.
Can you also make sure that the Exchsrvr folder is excluded in AMON Setup, and check that ‘scan all files’ is ticked in XMON Setup (in the Extensions bit).
<-QUOTE}
and my reply;
{QUOTE->
I temporarily disabled Mail Essentials but no joy there. It's still not catching test emails. The Exchsrvr folder along with the other recommended folders are excluded from AMON scanning and scan all files is ticked in the XMON setup.
<-QUOTE}
And the final mail from them is requesting some registry info and to also post up here to see if anyone has any ideas! Hopefully the emails above will show you the steps already taken and may assist in diagnosing the problem further.