Hi All, Recently I have started getting a whole lot of alerts on our Exchange server about Win32/Wigon. Question is, why is it being picked up by AMON and not XMON? Is the threat coming in attached to an email? Or is the threat already on the server? -------------- Date Received 2008-04-11 07:01:22 Date Occurred 2008-04-11 07:00:58 Level Critical Warning Scanner NOD32 AMON Object file Name C:\WINDOWS\TEMP\NOD9E4F.tmp Threat Win32/TrojanDownloader.Wigon.E trojan Action quarantined - deleted - error while Cleaning - operation unavailable f -------------- Date Received 2008-04-11 07:01:22 Date Occurred 2008-04-11 07:00:58 Level Critical Warning Scanner NOD32 AMON Object file Name C:\WINDOWS\TEMP\NOD9E50.tmp Threat Win32/Wigon.BL trojan Action quarantined - deleted - error while Cleaning - operation unavailable f
I'm getting these alerts on a few clients now too. Coming back from "Email filter - Outlook" How come XMON is missing these emails? Date Received 2008-04-11 07:56:13 Date Occurred 2008-04-11 07:55:59 Level Warning Scanner Email filter - Outlook Object email message Name from: Tanner Oakes to: Info with subject Angelina Jolie nude Threat Win32/Wigon.BL trojan Action contained infected files
XMON cannot detect them because they are not in the mails . Most likely the server itself is getting infected (file on the disk -> Name C:\WINDOWS\TEMP\NOD9E50.tmp) or there is a false positive . NOD329E50.tmp should be ESET NOD32 own file . The file and the server needs further investigation . Contact your local ESET Support by email: http://www.eset.com/partners/worldwide.php As they have advised some times , you can also send ESET log file from their ESET SysInspector http://www.eset.com/esibeta/
Eset support came back to me, this turned out to be a configuration issue. In the XMON manual, in chapter "4. Recommended settings", it says "To avoid the collision make sure that the AMON module is not set to scan .EDB, .TMP and .EML file types." I had AMON set to "Scan All files", so I am guessing AMON was picking up the virus, before XMON got to see it. Now XMON is detecting the emails and deleting them. It feels a bit counter intuitive to configure AMON to allow a virus through, so that XMON can detect it though. The advantage now, is that I see the subject of the email, and who it was to, rather than just a *.tmp file.