Xmon missed virus after Amon deleted temp file

Hi,

This morning, before any users arrived, I rebooted the Server for a security update. Two of the users had "Win32/Bagle.DR" viruses caught by Emon in Outlook. The Server had been up for about 30 minutes before these users logged on.

On the Server, Amon caught the same two viruses in the "C:\Windows\Temp" directory. The files were called NOD8D23.tmp and NOD8D26.tmp and were created by store.exe. Amon caught these files before the reboot.

What have I configured incorrectly to allow this and how did the viruses get past Xmon? Should Amon be scanning the Temp folder?

This is the first breach in eight months so any help would be appreciated.

Amon is configured to exclude the following folders as per KB823166
"C:\PROGRAM FILES\EXCHSRVR\"
"C:\WINDOWS\SYSTEM32\INETSRV\"
"C:\WINDOWS\IIS TEMPORARY COMPRESSED FILES\"

Mick

 

Couldn't it be that someone sent out nqf files from quarantine?

 

I don't think so. No-one has access to the Server's file system or Quarantine area and all viruses are deleted. I don't quarantine anything. The two e-mails were both incoming. The Server copy of Amon caught both viruses in C:\Windows\Temp. Shortly after, the client copy of Emon caught the same two viruses in Outlook. Xmon didn't delete the viruses.

The same thing happened over the weekend as well. Amon has caught the same virus in the temp folder on the Server and I imagine someone will receive a virus alert from Emon when they logon.

I think they must be created by Nod due to the name of the file but something is out of whack. I imagine I have something configured incorrectly although most settings are default.

Any ideas on where to start?

 

Three more of these Amon alerts from the Server this morning. Why have I suddenly started getting Virus Alerts from the Windows Temp folder from files named NODXXXX.tmp?

I've taken the step of excluding "tmp" files but I don't really think this is the correct solution. I haven't changed anything on the Server configuration.

This is my last day before holidays. I love unexplained issues cropping up at the last second, especially ones involving viruses.

12/20/2005 3:03:04 AM - AMON - File system monitor Threat Alert triggered on TheServer: C:\WINDOWS\TEMP\NOD1DB0.tmp is infected with Win32/Bagle.DR worm.
12/20/2005 3:05:15 AM - AMON - File system monitor Threat Alert triggered on TheServer: C:\WINDOWS\TEMP\NOD1E56.tmp is infected with Win32/Mytob.B worm.

 

I've just finished configuring XMON and was browsing through post covering XMON when I read this post. According to the XMON documentation it has some preset AMON exceptions to avoid collisions between AMON and XMON. These exceptions are set to exclude the EDB, TMP and EML file extensions from AMON.

It looks like you don't have AMON configured to exclude these file extensions and AMON is detecting them before XMON.

According to KB823166 these files should also be excluded from on-demand file scanners. XMON on-demand scanner is using NOD32 Control Centre Profile - Local, while NOD32 on-demand scanner is using Control Centre Profile. This means I have to configure both profiles. For the time being I've disabled on-demand scanning because there's no option to exclude folders, which means I have to include all the folders I wish to scan.

On a Exchange 2003 server with Novell Gateway services and the Novell client AMON would scan the Novell GroupWise mail store through the UNC path which I couldn't exclude. I had to disable scanning network drives to prevent AMON from accessing the GroupWise network volumes.

 

Also make sure that you have XMON 2.51.15 installed or download it from Eset's website and install it.

 

Thanks your a champion...

ok i added the Exclude folders
%PROGRAMFILES%\EXCHSRVR\MDBDATA\
%PROGRAMFILES%\EXCHSRVR\MTADATA\

and Unticked Scan All Files.

XMON is now picking up Virus's

Thankyou once again, now i can rest easy