Exchange 2003 and XMON Logging

Discussion in 'NOD32 version 2 Forum' started by intense, Jun 22, 2008.

Thread Status:
Not open for further replies.
  1. intense

    intense Registered Member

    Nov 19, 2006
    We have an installation of Exchange Enterprise 2003 SP2 with NOD32 for Exchange 2.7x (XMON) installed on it. The antivirus program has for some time been picking the same virus contained in a spreadsheet called either "Exp Diary 2007.xls" or "Copy of Exp Diary 2007 2.xls". The antivirus program identifies the virus as a "probably unknown POLY MACRO virus". Our antivirus software is configured to clean emails if possible and the virus is said to have been successfully removed the virus from the .xls file it infects.

    We are trying to identify which email account or accounts are repeatedly receiving this email however we are having zero luck identifying any further details about the infected emails. So far we have tried:

    1) Enabling message and SMTP tracking to match up the times of emails being received and the AV log of viruses been cleaned but we have yet been able to match the two as none of the users who received emails during this time have any record of the .xls attachment. We are performing detailed synchronous logging.

    2) Search all emails using exmerge. I have used all sorts of combo's but as yet no email account has been found with any of the .xls attachments the AV program says it has cleaned.

    Now if I understand the XMON product it is unable to tell us who was sent the infected email because the XMON product doesn't get handed the full email details, only the body and attachments. It scans both and sends it back to Exchange, not caring who it was to be sent to or from, only that it is clean.

    What we are looking for is if there is any log that Exchange produces, or any NOD32 utility that exists, that can record what emails Exchange is passing to external programs or that XMON is receiving. Does anyone know of such a log or program?
  2. duijv023

    duijv023 Registered Member

    Feb 16, 2006
    Rijnsburg, Netherlands
    So if i understand you correctly, you have no e-mails in any account that seem to be cleaned?
    In that case it might be possible that the cleaned e-mails are considered as spam, and are in a spamfoldero_O?

    Greetings from Holland
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.