Exchsrvr exclude question

Discussion in 'NOD32 version 2 Forum' started by 4trees, Nov 6, 2006.

Thread Status:
Not open for further replies.
  1. 4trees

    4trees Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    8
    most of the files for exclusion are inside the \program files\exchsrvr folder which is excluded. But I notice in the NOD exclusion window there is a button to select file or folder.

    Does this mean the files should be excluded as "files" as well as the "folder"?
     
  2. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    @4trees

    No, one or the other. Individual files would be preferred over the hold folder (just in case).

    -Cov
     
  3. 4trees

    4trees Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    8
    preferred?

    So this could explain why xmon is skipping some files and amon is scanning them, such as store.exe?

    So, don't exclude folders. Just exclude files?
     
  4. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    @4trees

    Well think of it this way, if you skip an entire folder, there is always the posibility that a virus could land in that folder and AMON would totally miss it then. By using the files themselves you prevent that possibility. Nothing more.

    Really all you need to skip are the files in Program Files\ExchSrvr\MDBDATA

    -Cov
     
  5. 4trees

    4trees Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    8
    store.exe is not located in that folder. Isn't this an excluded file?

    short file names have been mentioned regarding amon doing all the scanning on the exchange store.

    My understanding of sfn is this is no longer an issue with SBS2003 and this was confirmed by eset and Microsoft. Can someone please explain why this could be a cause of amon scanning on the server.

    we had 30+ amon alerts just this morning and it's getting kind of serious.
     
  6. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
  7. 4trees

    4trees Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    8
    AMON is scanning 90% and XMON is scanning 10%. The exclusions are implemented.

    So, about the sfn query?
     
  8. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    That I can't say, never had the pleasure of using XMON yet (I usually use a Linux box before the Exchange Server). So I'm not sure about using SFN when selecting the files.

    -Cov
     
  9. 4trees

    4trees Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    8
    the microsoft KB you referred me to lists files/folders other than MDBData.

    You've never used XMON? Do you think you should be offering expertise here for enterprise settings?
     
  10. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi 4trees,

    You may find this post and the resources it references to be helpful in setting up your AMON and XMON config for correct operation.

    Please post back so we know if you have got it sorted out or not, or if you need some more info.

    Cheers :)
     
  11. 4trees

    4trees Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    8
    ok, I do have scan all files unchecked in amon. i have mtdata and mbdata excluded among other files.

    There is so much conflicting advice on this subject here, at nod, and user experts. For example, if scan all files is unchecked on amon then there need not be any exclusions at all. This seems very simple to me. I wonder why this isn't made clear where it matters most?

    So, I'm going to remove all exclusions in the morning and leave scall all files unchecked, and see if this resolves the problem. I'll be in touch.

    But reading MSKB's I see this: "do not scan these files"

    Cdb.exe
    • Cidaemon.exe
    • Store.exe
    • Emsmta.exe
    • Mad.exe
    • Mssearch.exe
    • Inetinfo.exe
    • W3wp.exe

    Earlier today I got advice off the forum not to exclude store.exe.

    You can understand the frustration with all of this. So many contradictions and hazy answers.
     
  12. 4trees

    4trees Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    8
    can someone please tell me these answers....

    in amon status window, the word "file" has index.html associated with it all the time. What does this mean?

    also, i am going to uninstall xmon module only and see if this fixes my problem. How do i uninstall xmon only and resinstall?
     
  13. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    If you have optimise scanning enabled then probably it is the only file accessed that is new or changed. Is the number of files scanned by AMON increasing by just one at a time?
    As a reply to the poster it was intended for, Marcos suggested the following steps to do that.
    It will be different than this for you if you also have RAS/RAC or other NOD32 components installed on your server as well. If this is the case, download fresh versions of NOD32 and XMON, uninstall all (you should be able to leave the RAS/RAC in place if they are the current versions already) and reinstall using default configurations for each with XMON being the very last one to be re-installed even if it complains it is older.

    The version of AMON that is included with XMON has a slightly different default configuration than usual to allow for it being an Exchange server so things like the .log and .tmp files mentioned for exclusion are already excluded with the default installation.
    That is a list of running processes that should not be scanned in memory by a process scanner. NOD32 does not scan memory except for when the on-demand scanner is opened (if it is enabled)
    HTH

    Cheers :)
     
  14. andrator

    andrator Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    54
    Location:
    Netherlands
    It doesn't get any better with other AV products which manuals I read trying to find more information on this topic ;)

    First of all which version of Exchange are you using on which server version?

    NOD32 user pointed to a quote from the XMON manual not to scan all files unless two folders were excluded. I noticed some inconsistency in the XMON manual and AMON behavior. I've enabled AMON to scan all files and excluded the folder. With this setting the file extention tmp, log and eml are excluded. I was curious what would happen if I would disable scanning all files. In that case AMON doesn't include tmp and log as file extensions to scan, but it does include eml. So in my opinion there's an inconsistency about the eml extension. It's excluded when you scan all files, but included in the list of extensions to be scanned when you disable scan all files.

    What version of Exchange are you using and which KB article are you referring to. I'm asking, because there are different KB articles for Exchange 2000 and 2003.

    I simply excluded the entire program files\exchsrvr folder from AMON and be done with it. No more worrying about which files and folders to exclude. As soon as there is a worm that specifically targets excluded folders on Exchange server I will review my exclusions...

    You also have to distinguish between on-access scanning and on-demand scanning. Some advice only applies to on-demand scanning. The problem is that NOD32 doesn't support excluding files/folders which especially is a PITA on networks with Exchange, SQL and Domain Controllers where Microsoft clearly states that particular folders need to be excluded from file scanning. This has made it practically impossible to use NOD32 for file scanning on my Exchange server. One less issue to worry about :D

    Don't be. Use the right KB article for your environment, and define how much risk you are willing to take by excluding 'root' folders instead of subfolders or files.
     
Thread Status:
Not open for further replies.