NOD32, Windows 2003, Exchange 2003, SQL 2000

Discussion in 'NOD32 version 2 Forum' started by rperry, Jul 8, 2006.

Thread Status:
Not open for further replies.
  1. rperry

    rperry Registered Member

    Nov 28, 2005
    I have a quick question regarding the necessary products involved.

    I have been using NOD32 in our organization for over a year now. Everything has been working fantastic, and I have no complaints whatsoever. Now, I have some fine tuning questions as we are currently performing a Netware/Groupwise to Windows/Exchange migration.

    We purchased the NOD32 for Windows Enterprise. I have the RAS installed on a central server, and all other servers and workstations are clients of this RAS.

    Concerning our email system, we have SonicWall's Mail Frontier acting as the SMTP Gateway scanning for email-based malware. MF then passes email directly to Exchange. As we have not purchased NOD32 for Exchange, is it acceptable to stick with the already owned NOD32 for Windows on the Exchange server if I don't *need* NOD32 scanning the individual emails?

    Also, would someone please advise me on any special requirements as follows:
    1. Windows 2003 Enterprise R2 – Only AMON enabled. IMON, DMON, EMON are disabled and stopped (grey)
    2. SQL 2000 – Same as Windows 2003 with exclusions. Excluding the directories containing the .mdf and .ldf files. Should I instead simply exclude the .mdf and .ldf extensions?
    3. Exchange 2003 – Same as Windows 2003 with exclusions. Excluding the directories that contain the mail stores and logs. I have read about excluding the tmp files as well, and I assume that these are the tmp files associated with the mail stores?

    As a final overall question, I have installed SysInternal’s psexec.exe on all workstations in the %windir%\system32 directory. I have an exclusion for this as well since NOD32 detects this as a virus. However, the same file on the file server isn’t excluded in the config file due to its somewhat random location. Is it possible to exclude a certain file based on the file name and not the location? I seem to have been having some issues getting this to work correctly unless I define the entire path.

    I would appreciate any feedback. Thanks!

    My current version information is as follows:
    NOD32 antivirus system information
    Virus signature database version: 1.1645 (20060705)
    Dated: Wednesday, July 05, 2006
    Virus signature database build: 7626

    Information on other scanner support parts
    Advanced heuristics module version: 1.031 (20060606)
    Advanced heuristics module build: 1115
    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
    Archive support module version: 1.047 (20060704)
    Archive support module build version: 1166

    Information about installed components
    NOD32 For Windows NT/2000/XP/2003 - Base
    Version: 2.50.25
    NOD32 For Windows NT/2000/XP/2003 - Internet support
    Version: 2.50.25
    NOD32 for Windows NT/2000/XP/2003 - Standard component
    Version: 2.50.25

    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 2
    Version of common control components: 5.82.2900
    RAM: 2040 MB
    Processor: Intel(R) Pentium(R) M processor 2.00GHz (1995 MHz)
  2. andrator

    andrator Registered Member

    Feb 10, 2006

    We're also in the middle of a NetWare/GroupWise and Windows 2000/Exchange 2000 to Windows 2003/Exchange 2003 migration.

    We're using a security appliance acting as SMTP/HTPP/FTP proxy , anti spam, content filter and web filter using two AV engines.

    Depends on your AV policy. My current AV policy proposal mandates an AV on a mail server. Two layers would be better than only one. If the SonicWall fails, there's no backup.

    AMON and DMON enabled. DMON also scans for ActiveX controls. EMON disabled, because we don't have Outlook on non-Terminal Server and it causes errors on our Terminal Server. I don't have the time to troubleshoot this issue, as I already have adequate protection without requiring the extra protection of EMON.

    I'm currently configuring domain controllers and SQL server. See my post NOD32 Enterprise Edition on Windows servers.

    XMON (Exchange scanner) comes with it's customized version of AMON, which automatically excludes extensions on an Exchange server. You should exclude EDB, TMP and EML extensions from AMON and the folders containing mail stores and logs.

    Don't know enough about exclusions. There appears to be an issue with AMON that sometimes you have to exclude files depending on their Long File Name or Short File Name. I exclude both, just to be sure. You can use the command dir /x to see the Short File Name for a folder or file.

    The option "Detect potential dangerous applications" could trigger psexec.exe being flagged. You can also consider diabling this option, if it flag too many files.

    If time permits I'll post the results of my configuration on this forum.
    Last edited: Jul 11, 2006
  3. andrator

    andrator Registered Member

    Feb 10, 2006
    XMON on Exchange automatically excludes .edb, .eml and .log from AMON. .edb is the database, .tmp temporary message files and .eml are message files. You need to manually exclude the datastore and transaction logs.

    Many Microsoft products are using jet databases. To commit data to database files (.edb), transactions are written to a transaction log (.log). After data is written to the database, a checkpoint (.chk) is advanced. This checkpoint marks the position in the log files at which the database is in a consistent state. Off topic: .log files are committed when you perform a backup.

    SQL uses database files (.mdf) and transaction logs (.log).

    I'm determining if I should also exclude other folders containing .chk, .log and .edb on more locations than advised in the MS documentation (exchange, ntds, frs, dhcp, wins). These are located in c:\windows\security, c:\windows\system32\catroot2, and c:\windows\softwaredistribution\datastore. I can't find many references, but right now I'm going to include these locations.
Thread Status:
Not open for further replies.