Every 1 H NOD32 block email with virus

Discussion in 'Other ESET Business Products' started by barbouzouk, Mar 26, 2013.

Thread Status:
Not open for further replies.
  1. barbouzouk

    barbouzouk Registered Member

    Joined:
    Mar 26, 2013
    Posts:
    10
    Location:
    Luxembourg
    Hello Everybody.

    Configuration
    SBS 2011 (2008R2 + Exchange 2010)
    ESET Mail Security 4

    Every 1 hour, I have NOD32 which block emails with some trojan (WIN32/PSW.Fareit.A trojan horse, JS/Redirector.NJE Trojan Horse, JS/Kryptik.AII trojan horse etc.)

    However emails doesn't came from external because I don't have any logs in my firewall.
    I check every computer but I don't have any virus.
    I use the Microsoft Safety scaner on Server and computer => No problem.

    I don't see where is the virus.



    Here a small logs about emails with trojans

    I need help please

    Thanks you


     

    Attached Files:

  2. dwomack

    dwomack Eset Staff Account

    Joined:
    Mar 2, 2011
    Posts:
    588
    In the log you submitted, I'm seeing emails from fiserv.com, bankofamerica.com, adp.com, linkedin.com, ups.com, customerdomain.com, newyork.bbb.org, gmail.com, email.att-mail.com and dhl.com

    Are you sure these are all internal-only emails?
    If the detection is coming from emails being received, any malicious file or code found within the email is being detected from the email and blocked which explains why none of the computers you checked were infected. It appears ESET Mail Security is working correctly and keeping your computers safe from infection.
     
  3. barbouzouk

    barbouzouk Registered Member

    Joined:
    Mar 26, 2013
    Posts:
    10
    Location:
    Luxembourg
    Thanks you for your reply dwomack.

    Yes it sure emails do not come from the outside because I looked at the firewall logs in real time when NOD32 me posted warnings. More mails displayed in Eset logs are always the same at regular intervals.

    However, is that Eset can I display these warning messages because the "infected" are still in the inbox of my Outlook users ?
     
  4. karlisi

    karlisi Registered Member

    Joined:
    Apr 7, 2011
    Posts:
    68
    Location:
    Latvia
  5. barbouzouk

    barbouzouk Registered Member

    Joined:
    Mar 26, 2013
    Posts:
    10
    Location:
    Luxembourg
    Thank you

    It's a very interessant article.

    I see logs and go back quickly

    Thanks
     
  6. barbouzouk

    barbouzouk Registered Member

    Joined:
    Mar 26, 2013
    Posts:
    10
    Location:
    Luxembourg
    So
    I see certain new Threat blocked by Eset with tag Bulk (by the firewall) but not new mail. I'm sure that threat are in the exchange database because it's already inside.

    I think to contact customer and delete email if are present in oultook.
     
  7. barbouzouk

    barbouzouk Registered Member

    Joined:
    Mar 26, 2013
    Posts:
    10
    Location:
    Luxembourg
    For example I search the email from => secure.notification@fiserv.com but it doesn't exist in the database.

    Yet this mail back constantly in the analysis
     
  8. barbouzouk

    barbouzouk Registered Member

    Joined:
    Mar 26, 2013
    Posts:
    10
    Location:
    Luxembourg
    Logs for this morning

    3/29/2013 10:44:47 AM Filtre du serveur de mail courrier électronique de : secure.notification@fiserv.com à : [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user1] objet ***BULK*** Fiserv Secure Email Notification - 011808181 date 2/12/2013 Win32/PSW.Fareit.A cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:46 AM Filtre du serveur de mail courrier électronique de : cashproonline_notification@bankofamerica.com à : [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user2] objet ***BULK*** CashPro Online Digital Certificate Granted date 2/13/2013 Win32/PSW.Fareit.A cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:44 AM Filtre du serveur de mail courrier électronique de : ops_invoice@adp.com à : [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user2] objet ***BULK*** ADP Payroll Invoice for week ending 02/15/2013 - 00326 date 2/19/2013 Win32/PSW.Fareit.A cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:44 AM Filtre du serveur de mail courrier électronique de : welcome@linkedin.com à : [SMTP:hjiaqwdf@domaincustomer.com] objet Efax Corporate date 2/21/2013 JS/Redirector.NJE cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:43 AM Filtre du serveur de mail courrier électronique de : ups-shipping-agency@ups.com à : [SMTP:hjiaqwdf@domaincustomer.com] objet ***BULK*** Re: End of Aug. Statement Required date 2/22/2013 JS/Redirector.NJE cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:43 AM Filtre du serveur de mail courrier électronique de : accounting@domaincustomer.com à : [SMTP:ievaidcx@domaincustomer.com] objet ***SPAM*** Re: FW: End of Aug. Statement date 2/22/2013 JS/Redirector.NJE cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:43 AM Filtre du serveur de mail courrier électronique de : ops_invoice@adp.com à : [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user2]; [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user1]; [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user3]; [SMTP:user2@domaincustomer.com] objet ***BULK*** ADP Payroll Invoice for week ending 02/22/2013 date 2/25/2013 Win32/PSW.Fareit.A cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:41 AM Filtre du serveur de mail courrier électronique de : cashproonline_notification@gcibemail.bankofamerica.com à : [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user2] objet ***BULK*** Your CashPro Online Digital Certificate date 3/1/2013 Win32/PSW.Fareit.A cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:41 AM Filtre du serveur de mail courrier électronique de : ops_invoice@adp.com à : [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user1] objet ***BULK*** ADP Payroll INVOICE for week ending 03/01/2013 date 3/4/2013 Win32/PSW.Fareit.A cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:40 AM Filtre du serveur de mail courrier électronique de : totalsourceautomation@adp.com à : [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user1] objet ***BULK*** ADP TotalSource Automated Payroll Invoice Notification date 3/5/2013 Win32/PSW.Fareit.A cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:38 AM Filtre du serveur de mail courrier électronique de : Marietta_Galloway@newyork.bbb.org à : [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user1] objet BBB SBQ Form #332336833(Ref#30-332336833-0-4) date 3/14/2013 Win32/PSW.Fareit.A cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:37 AM Filtre du serveur de mail courrier électronique de : att-online.services@email.att-mail.com à : [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user1] objet ***BULK*** AT&T online payment confirmation date 3/18/2013 Win32/PSW.Fareit.A cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:36 AM Filtre du serveur de mail courrier électronique de : AadenIma9wggHI@gmail.com à : [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user1] objet ***BULK*** Re: End of Aug. Statmeent required date 3/19/2013 JS/Kryptik.AII cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:36 AM Filtre du serveur de mail courrier électronique de : LinnCarnoske@domaincustomer.com à : [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user1] objet ***BULK*** Re: FW: End of Aug. Stat. Required date 3/19/2013 JS/Kryptik.AII cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:36 AM Filtre du serveur de mail courrier électronique de : reports@dhl.com à : [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user1] objet ***BULK*** DHL delivery report date 3/19/2013 Win32/TrojanDownloader.Wauchos.I cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
    3/29/2013 10:44:33 AM Filtre du serveur de mail courrier électronique de : payment.advice@hsbc.com.hk à : [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user1] objet ***BULK*** Payment Advice - Advice Ref:[B32839574508] date 3/28/2013 Win32/PSW.Fareit.A cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM
     
  9. barbouzouk

    barbouzouk Registered Member

    Joined:
    Mar 26, 2013
    Posts:
    10
    Location:
    Luxembourg
    For exemple in this log

    3/29/2013 10:44:47 AM Filtre du serveur de mail courrier électronique de : secure.notification@fiserv.com à : [EX:/O=FIRST ORGANIZATION/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=user1] objet ***BULK*** Fiserv Secure Email Notification - 011808181 date 2/12/2013 Win32/PSW.Fareit.A cheval de troie contenait des fichiers infectés NT AUTHORITY\SYSTEM

    I see ***BULK*** in object. Yet i disable ***BULK*** in the smtp rule at 09h00 in my firewall this morning and this logs at 10:44 AM I see ***BULK***.

    So this email don't come from WAN
     
  10. clyde123

    clyde123 Registered Member

    Joined:
    Apr 11, 2008
    Posts:
    69
    Location:
    Glasgow
    Hi Barbouzouk, for instance, the messages from ..@adp.com are definitely rubbish messages, these are definitely spam - I see them all the time here.
    You have Exchange Server on the computer in question, and you're using Eset Mail Security.
    The EMS filters all emails coming into the Exchange Server, for all your users. It takes these messages out of the queue and out of the users' mailboxes. EMS puts these messages into a quarantine. The location of the quarantine will depend on how you setup the Excchange Server and the Eset Mail Security. You might find logs in EMS / Tools / Quarantine .
    But if you have setup a quarantine mailbox, these messages will have been moved to that special mailbox.

    So, yes, the Eset Mail Security is correctly doing its job. It is stopping these messages before they go to your users' PCs, which is why you do not see them on the users.

    These senders will continue sending this rubbish every day. Expect large numbers every day.
     
  11. clyde123

    clyde123 Registered Member

    Joined:
    Apr 11, 2008
    Posts:
    69
    Location:
    Glasgow
    EMS does re-scan regularly. Where is your Quarantine ?
    It might be that EMS is re-scanning the quarantined messages, and this is where your log message are coming from.
    Can you clean out the Quarantine ? Empty it ?
     
  12. barbouzouk

    barbouzouk Registered Member

    Joined:
    Mar 26, 2013
    Posts:
    10
    Location:
    Luxembourg
    Hi Clyde123, thanks you for your reply

    I don't use the quarantine in Eset but I see a message in Eset :
    Excuse for the translation => put the message in quarantine quarantine system mail server

    So i can use this option : delete message.

    Wait and See.

    Thank you Clyde123
     
  13. barbouzouk

    barbouzouk Registered Member

    Joined:
    Mar 26, 2013
    Posts:
    10
    Location:
    Luxembourg
    Hello EveryBody

    Here logs for this monrning


    I see check Hour by Hour
     

    Attached Files:

  14. barbouzouk

    barbouzouk Registered Member

    Joined:
    Mar 26, 2013
    Posts:
    10
    Location:
    Luxembourg
    Hello Every Body

    I found several email in the mailbox. I delete all mail and now everything should be back to normal.

    Thanks you
     
Thread Status:
Not open for further replies.