Exchange Infection - Default Virtual SMTP Server - SPAM in Queues

Discussion in 'NOD32 version 2 Forum' started by James Talyor, Sep 30, 2006.

Thread Status:
Not open for further replies.
  1. James Talyor

    James Talyor Registered Member

    Joined:
    Sep 30, 2006
    Posts:
    6
    Ok i need some help please!!! XMON is not working properly, my exchange is DEFINATELY Infected and i need help on
    1. How to Clean it
    2. How to Fix it
    3. Why the hell is nod32 XMON not detecting the viruses??

    First off this is what my exchange looks like @ the moment
    Direct Link:
    http://img82.imageshack.us/img82/2011/infectedexchangebt5.jpg

    So whilst Spam sits comfortably in the exchange annoying the hell out of half the planet...

    this is what XMON is doing...
    Direct Link:
    http://img97.imageshack.us/img97/2439/nod32xmonjl9.jpg

    The settings are high on XMON and if i "Rescan" the exchange

    i get lots of these from AMON with NOD*.tmp files as a virus
    Direct Link:
    http://img100.imageshack.us/img100/2934/nod32amonrn3.jpg

    Please help me its driving me nuts... If i scan with Nod32 (following Blackspears setup) nod32 finds nothing

    For those who are interested...

    Xmon Setup

    [ ] = Not Ticked ..............
    [*] = Ticked

    Scanner.
    Background Scanning [*]
    Proactive Scanning [*]
    Scan plain text messages bodies [ ]
    Scan RTF message bodies [*]
    Scan transported messages [*]
    Detection
    All Ticked
    Extensions
    Scan all files [*]
    Actions
    Clean --> Delete for all in drop down
    Rules
    Nothing in here... default.
    Deleting
    Overwrite message body with virus log [*]
    Replace file with virus log [*]
    Performance
    Number of threads [4]
    Time limit [180] Seconds
    Logs
    Log all files [ ]
    Sychronous logging [ ]
    Log Server version [ ]
    Log License [ ]
     
    Last edited: Oct 3, 2006
  2. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    @James Taylor

    This does not indicate that "Exchange is infected" (at least based on your picture). You might be passing Virus ladened email for some reason (I haven't gotten to play with XMON yet), but Exchange itself isn't infect (C:\Windows\Temp\ is not used by Exchange for anything message wise, it has it's own set of directories to run all that in). Have you confirmed that you are not an open relay? You can check by it @ http://www.spamhelp.org/shopenrelay/
    I wouldn't think it was, if you were an open relay, you would have hundreds if not thousands of messages in the queue, not likely with what I'm seeing.

    Also, have you verified that Exchange is setup to filter non-AD emails and not accept them (it does not do this by default). This is what it looks like (Check the individual messages in the Queue, they are prolly NDRs from postmaster@yourexchangeserver). Assuming you are running Exchange 2003 follow the directions here:

    http://www.amset.info/exchange/filter-unknown.asp

    After you do this you want to make sure you delete all the messages in your queue and make sure you DON'T send NDRs.

    Assuming that your Exchange box is the final destination for you domain, you might want to think about putting something in front of it to protect the Exchange server from itself. =D

    Let us know how things go.

    -Cov
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Also make sure that you are actually using the most current version of XMON. Maybe you could do a clean install as follows:
    - download the latest version of NOD32 for Exchange 2.51.15 (XMON)
    - uninstall the current XMON
    - restart the computer
    - delete the program files/eset folder
    - install XMON 2.51.15
    - restart the computer
    - update the signature database to the most current version 1.1784
     
  4. James Talyor

    James Talyor Registered Member

    Joined:
    Sep 30, 2006
    Posts:
    6
    thanks for the link i will check and i will also try and update XMON
    are you sure my exchange isnt infectedo_O... if you look at the picture again

    it says the c:\windows\temp\NOD*.tmp file was created from the

    c:\Program Files\Exchsrvr\bin\store.exe

    which is the exchange

    i agree that the exchange doesnt use the c:\windows\temp\ folder but it would appear the virus's sure do I find it weird that Xmon has been installed for @ least 6 months and has not found 1 viruso_O??

    thanks thou for both of your help i will check this out tomorrow

    Regards
    James Talyor...
     
  5. James Talyor

    James Talyor Registered Member

    Joined:
    Sep 30, 2006
    Posts:
    6
    We do have the latest version... it just appears XMON is not picking up viruses?

    Please we need help!!!

    thanks to covaro we seem to have slowed the problem ... no new Virtual SMTP Servers are in the list...

    But if we rescan with XMON we still get lots of the *.tmp files
     
  6. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    @James Taylor

    Glad I could help alleviate some of the problem. Never used XMON so I can't help too much on that part. All the Exchange servers I deal with have some form of Mail Gateway/Filter in front of the Exchange server and all the cleaning is done there.

    Hope you get everything sorted out.

    -Cov
     
  7. James Talyor

    James Talyor Registered Member

    Joined:
    Sep 30, 2006
    Posts:
    6
    anybody used XMON? and can help me is there a part of the wilderssecurity.com website that can help me with XMON?
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have asked for someone from Eset to respond.

    Cheers :D
     
  9. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Haven't you changed the default list of extensions to be scanned in AMON?

    I'm not from ESET but you may wish to consider the following - I beleive it will fully resolve your issue.

    Your temp files are being picked up by AMON before XMON can check them. The default configuration of AMON in NOD32 for Exchange has a pre-configured list of extensions it check instead of all files.

    The last two posts of -->this<-- thread list some file and folder exclusions as well as references the M$ KB article discussing suggested exclusions for Exchange Servers in general -->HERE<-- This is also discussed in the XMON manual -->HERE<-- which states:-
    All of this information is available and more in the documents listed here.

    Basically following the instructions Marcos gave exactly at post#3 of this thread should have resolved your issue.
    HTH

    Cheers :)
     
  10. James Talyor

    James Talyor Registered Member

    Joined:
    Sep 30, 2006
    Posts:
    6
    Thanks your a champion...

    ok i added in AMON the Exclude folders
    %PROGRAMFILES%\EXCHSRVR\MDBDATA\
    %PROGRAMFILES%\EXCHSRVR\MTADATA\

    and Unticked Scan All Files.

    XMON is now picking up Virus's

    Thankyou once again, now i can rest easy
     
  11. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    You're welcome :)

    Glad it's sorted, thanks for posting back to let us know.

    Cheers :)
     
  12. WizardMaster

    WizardMaster Registered Member

    Joined:
    Sep 24, 2006
    Posts:
    27
    Location:
    Auckland, NZ
    XMON has no problem with Window 2003 Small Business Server Standard R2 with new update Exchange Server 2003 SP2.

    while XMON found the infection from SMTP, XMON put automatic deleted the infection. I don't care about infection attachment must destroyed !

    When Client received the email show infection report. They will reply back to from sender.

    I am happy with XMON is better protection against threat infection on every workstation computers have including NOD32 Std alone. If XMON failure, don't worried EMON or IMON (Workstation) will backup checking it.

    ;)
     
Thread Status:
Not open for further replies.