Exchange Infection - Default Virtual SMTP Server - SPAM in Queues

Ok i need some help please!!! XMON is not working properly, my exchange is DEFINATELY Infected and i need help on
1. How to Clean it
2. How to Fix it
3. Why the hell is nod32 XMON not detecting the viruses??

First off this is what my exchange looks like @ the moment
Direct Link:
http://img82.imageshack.us/img82/2011/infectedexchangebt5.jpg

So whilst Spam sits comfortably in the exchange annoying the hell out of half the planet...

this is what XMON is doing...
Direct Link:
http://img97.imageshack.us/img97/2439/nod32xmonjl9.jpg

The settings are high on XMON and if i "Rescan" the exchange

i get lots of these from AMON with NOD*.tmp files as a virus
Direct Link:
http://img100.imageshack.us/img100/2934/nod32amonrn3.jpg

Please help me its driving me nuts... If i scan with Nod32 (following Blackspears setup) nod32 finds nothing

For those who are interested...

Xmon Setup

[ ] = Not Ticked ..............
[*] = Ticked

Scanner.
Background Scanning [*]
Proactive Scanning [*]
Scan plain text messages bodies [ ]
Scan RTF message bodies [*]
Scan transported messages [*]
Detection
All Ticked
Extensions
Scan all files [*]
Actions
Clean --> Delete for all in drop down
Rules
Nothing in here... default.
Deleting
Overwrite message body with virus log [*]
Replace file with virus log [*]
Performance
Number of threads [4]
Time limit [180] Seconds
Logs
Log all files [ ]
Sychronous logging [ ]
Log Server version [ ]
Log License [ ]

 

@James Taylor

This does not indicate that "Exchange is infected" (at least based on your picture). You might be passing Virus ladened email for some reason (I haven't gotten to play with XMON yet), but Exchange itself isn't infect (C:\Windows\Temp\ is not used by Exchange for anything message wise, it has it's own set of directories to run all that in). Have you confirmed that you are not an open relay? You can check by it @ http://www.spamhelp.org/shopenrelay/
I wouldn't think it was, if you were an open relay, you would have hundreds if not thousands of messages in the queue, not likely with what I'm seeing.

Also, have you verified that Exchange is setup to filter non-AD emails and not accept them (it does not do this by default). This is what it looks like (Check the individual messages in the Queue, they are prolly NDRs from postmaster@yourexchangeserver). Assuming you are running Exchange 2003 follow the directions here:

http://www.amset.info/exchange/filter-unknown.asp

After you do this you want to make sure you delete all the messages in your queue and make sure you DON'T send NDRs.

Assuming that your Exchange box is the final destination for you domain, you might want to think about putting something in front of it to protect the Exchange server from itself. =D

Let us know how things go.

-Cov

 

Also make sure that you are actually using the most current version of XMON. Maybe you could do a clean install as follows:
- download the latest version of NOD32 for Exchange 2.51.15 (XMON)
- uninstall the current XMON
- restart the computer
- delete the program files/eset folder
- install XMON 2.51.15
- restart the computer
- update the signature database to the most current version 1.1784

 

thanks for the link i will check and i will also try and update XMON
are you sure my exchange isnt infected... if you look at the picture again

it says the c:\windows\temp\NOD*.tmp file was created from the

c:\Program Files\Exchsrvr\bin\store.exe

which is the exchange

i agree that the exchange doesnt use the c:\windows\temp\ folder but it would appear the virus's sure do I find it weird that Xmon has been installed for @ least 6 months and has not found 1 virus??

thanks thou for both of your help i will check this out tomorrow

Regards
James Talyor...

 

We do have the latest version... it just appears XMON is not picking up viruses?

Please we need help!!!

thanks to covaro we seem to have slowed the problem ... no new Virtual SMTP Servers are in the list...

But if we rescan with XMON we still get lots of the *.tmp files

 

@James Taylor

Glad I could help alleviate some of the problem. Never used XMON so I can't help too much on that part. All the Exchange servers I deal with have some form of Mail Gateway/Filter in front of the Exchange server and all the cleaning is done there.

Hope you get everything sorted out.

-Cov

 

anybody used XMON? and can help me is there a part of the wilderssecurity.com website that can help me with XMON?

 

I have asked for someone from Eset to respond.

Cheers

 

Haven't you changed the default list of extensions to be scanned in AMON?

I'm not from ESET but you may wish to consider the following - I beleive it will fully resolve your issue.

Your temp files are being picked up by AMON before XMON can check them. The default configuration of AMON in NOD32 for Exchange has a pre-configured list of extensions it check instead of all files.

The last two posts of -->this<-- thread list some file and folder exclusions as well as references the M$ KB article discussing suggested exclusions for Exchange Servers in general -->HERE<-- This is also discussed in the XMON manual -->HERE<-- which states:-

All of this information is available and more in the documents listed here.

Basically following the instructions Marcos gave exactly at post#3 of this thread should have resolved your issue.

HTH

Cheers

 

Thanks your a champion...

ok i added in AMON the Exclude folders
%PROGRAMFILES%\EXCHSRVR\MDBDATA\
%PROGRAMFILES%\EXCHSRVR\MTADATA\

and Unticked Scan All Files.

XMON is now picking up Virus's

Thankyou once again, now i can rest easy

 

You're welcome

Glad it's sorted, thanks for posting back to let us know.

Cheers

 

XMON has no problem with Window 2003 Small Business Server Standard R2 with new update Exchange Server 2003 SP2.

while XMON found the infection from SMTP, XMON put automatic deleted the infection. I don't care about infection attachment must destroyed !

When Client received the email show infection report. They will reply back to from sender.

I am happy with XMON is better protection against threat infection on every workstation computers have including NOD32 Std alone. If XMON failure, don't worried EMON or IMON (Workstation) will backup checking it.