Issue with v4 on SBS 2003

I just installed NOD32 v4 on a network that has two servers and 30 workstations. We are using MS SBS 2003, when our backups run (using the SBS backup utility backing up to external USB drives) NOD32 finds some phishing related files when backing up the Exchange Mailboxes. At this point all network traffic is shut down on the server until I click through the dialog boxes asking if I want to clean or delete the files. After I do that then network traffic starts working again.

Under the Options for Real-Time file System protection I have the cleaning level set to Strict Cleaning hoping that this would cause the server to automatically deal with the issue and not prompt for input, but this isn't helping any.

My users that like to come in early or work on the weekend are getting a little angry because their workstations can't communicate with the server until I click through these messages on the server console.

In RAC when I look at the Threat Log the entries look like this.
Name Threat Action Information
\Device\HarddiskVolumeShadowCopy76\Program Files\Exchsrvr\Mailroot\vsi 1\UceArchive\ARCH_20080205110105027519350.EML HTML/Phishing.gen trojan error while cleaning Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\ntbackup.exe.

My concern is that I don't want the server shutting off network traffic when it finds something. I can see where that would be nice on a workstation, but I really don't want the server behaving this way. Is there a way to change the default behavior or turn off one of the features that would keep this from happening?

Any help would be appreciated.

 

Hi ndsambient,

Have you made all the necessary exclusions in the real time scanner and is it set to "Scan all files"?

BFG

 

This morning I made the exclusions listed here:
http://www.sbsfaq.com/Lists/FAQs/DispForm.aspx?ID=137
and
http://support.microsoft.com/kb/822158

I am not sure what you are referring to by "Scan all Files" I don't see an option labeled that anywhere in the Advanced Setup.

My concern is that I don't want the server shutting off network traffic when it finds something. I can see where that would be nice on a workstation, but I really don't want the server behaving this way. Is there a way to change the behavior or turn off one of the features that would keep this from happening?

 

As far as I know, ESET still haven't released a version of XMON compatible with EAV V4 or V3 for that matter. This means for an Exchange Server such as SBS 2003, you are currently stuck with XMON V2.71.9 and ESET Anti Virus V2.70.39.

Correct me if I'm wrong but this is currently your only option if you wish to protect an Exchange Server using ESET products.

 

Hello mickhardy and ndsambient,

Microsoft included Exchange in their SBS 2003 package and I believe the all the Small Business Server bundles since. As many of these small companies don't want to spend the money for a dedicated machine as their Exchange Server they're exluding more from the real time scanner and not losing thgat much in protection. The eml, edb and tmp extensions should definately be excluded as well as a number of other files and directories.

 

Hmm... I see, I'm suffering network lock ups too when a back up occurs (problem for me is there is no screen on the server so I've never been able to diagnose this problem).

It seems to me strict cleaning will always bring up a dialog box where a "system file" is involved (look at the description in the help file) and this is where the problem lies. There must be a way to disable the blocking of network traffic when this occurs.

 

BFG, thank you for your help. As a small IT consultant I have been very impressed with NOD32 and have started recommending and selling it to my clients. This is very helpful information for best practices when installing it on a SBS server.

The second part of my question is what illuzn just asked "It seems to me strict cleaning will always bring up a dialog box where a "system file" is involved (look at the description in the help file) and this is where the problem lies. There must be a way to disable the blocking of network traffic when this occurs." Is it possible to disable the feature of blocking network traffic when it finds something?

 

Hello,

You're very welcome. This kb article mentions excluding the entire backup program from scanning to resolve certain issues. http://kb.eset.com/esetkb/index?page=content&id=SOLN2153&

Those files have been scanned and were not seen as threats at that time. The scan during the backup is rescanning them with the latest definitions since then, which will be done again should you reopen them.

I hope that will help you both.

Thank you,
BFG

 

Uninstall 4.0, it's for workstations
Install 2.7. I have over 50 SBS boxes out there are various clients, they run like a top with 2.7.
And follow http://www.sbsfaq.com/Lists/FAQs/DispForm.aspx?ID=137 which I see you linked below..hopefully you added all that it mentions.

Also with XMON on SBS...I disable background scanning.
And with Esets AMON, I uncheck "Scan all files" under extensions, having it only scan a smaller list of file types.

 

What does XMON and AMON stand for?

 

Hi,

XMON - eXchange MONitor
AMON - File system monitor

Maybe the A was because it was the real time scanner.

BFG

 

This isn't really much of a solution consider NOD32 2.7 doesn't include a lot of the heuristics in versions 3/4. Or is this just marketing hype from Eset?

 

It's appalling but that's how it is. XMON hasn't been updated for years.

If it's ever released, it won't be going anywhere near our servers until it's proven itself over many months. ESET can't afford to blue screen even one Exchange Server and this may be why it's taking so long. They need to get it 100% right before releasing it.

This means for an Exchange Server such as SBS 2003, you are currently stuck with XMON V2.71.9 and ESET Anti Virus V2.70.39

 

IMO the advantages of 3 and 4 are web based protection, esp against those rogue vundu based variants that come in through web surfing.

Since any person who has 1/2 a brain will not be surfing the web from a server...and who will not be using the server as a regular workstation...this should not be an issue.

A server, when used properly as a server, does not have the typical exposure to threats as a workstation.