MS smallbusiness 2003 - what to exclude in AMON?

Discussion in 'NOD32 version 2 Forum' started by duijv023, Jan 15, 2008.

Thread Status:
Not open for further replies.
  1. duijv023

    duijv023 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    230
    Location:
    Rijnsburg, Netherlands
    Hi guys,

    As far as i know one should exclude the exchange, and IIS (inetpub) folders and a minor few others (they are mentioned in various docs from MS and also here on Wilders).

    But, when you read http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/

    More accurate the following:
    The outbreak coincides with another mass infection in progress that's infected tens of thousands of pages, including those of Boston University, security provider Computer Associates, and agencies from the state of Virginia and the city of Cleveland. It infects websites running Microsoft's Internet Information Server web program and the company's SQL database with links the redirect users to servers in China. The malicious sites then try to install keylogging software and other nasties.

    So how do I protect my webcontents if AMON is not allowed to scan the webcontents?
    Or am i missing something? :eek:

    I guess I possibly saw an infection as described in the document linked last monday. And yeah it gave me a kind of headache
    On one customers' SBS server the DNS server went down during the weekend and could not be restarted anymore.
    During the weekend AMON quarantined a few files according to the logs, pasword stealing tools and hacktools were seen by NO32.
    In addition to this, Windows file protection alarmed me that some files were replaced or malformed (but i couldn't find which ones ).
    After repairing the files, rebooting the machine and everything was OK again (NOD32 did not find any other infection again during the manual scan). But I was still wondering how on earth this came in, because there is also a firewall between the SBS and the internet. And one thing is for sure: NOD32 does not often ignore malware, I find it very reliable.

    Greetings from a stormy and rainy Holland
     
  2. ASpace

    ASpace Guest

    Your topic means "server 2003" not Exchange .

    On Server 2003 (not Exchange) you do not need to exclude anything particular .

    This document page 10 talks about what is needed to be excluded ... Best is:
    %ProgramFiles%\Exchsrvr
    %SystemRoot%\System32\Inetsrv

    The above two excluded in AMON only in Exchange

    If you mean Exchange , well , you can Schedule a new task to perform manual scan on ...System32\Inetsrv\ every 12 or 24 hours
     
  3. duijv023

    duijv023 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    230
    Location:
    Rijnsburg, Netherlands
    For the record
    for exchange we have (of course) XMON running

    Greetings
     
  4. duijv023

    duijv023 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    230
    Location:
    Rijnsburg, Netherlands
    OOOPS, I was missing something :oops:
    the excluded folder is INETSRV, and NOT INETPUB!!!

    I guess it was a little bit too late last night, so i mixed them up o_O

    But, MS still advises to exclude more things.
    see http://support.microsoft.com/kb/823166

    cheers, tonight I am going to bed early ;-)
     
  5. ASpace

    ASpace Guest

    Can you please make it clear what we are talking about -> Microsoft Exchange Server or Microsoft Windows Server 2003 SmallBusiness edition (they are different things)


    In Windows Server you do not need to exclude any directory (there is no must)
    In Exchange Server (mail server) there is a strong recommendation to exclude certaint directories .

    In Exchange server ... when they are excluded in AMON , XMON will scan their data .

    You can use the Scheduler of NOD32 to make a regular on-demand scan with the on-demand scanner component . What you need to do :
    1. Open NOD32 on-demand scanner
    2. Navigate to "Profiles" tab
    3. Press "Profiles" button
    4. Name a new profile
    5. From the drop-down list choose this new profile
    6. Configure it the way you like it
    7. Goto "Scanning targets" section and uncheck "Local"
    8. In Files and folders section add these folders:
    %ProgramFiles%\Exchsrvr
    %SystemRoot%\System32\Inetsrv

    9. Close the on-demand scanner and confirm the changes with Yes button
    10. Navigate to the Scheduler anc create yourself a new task (on-demand scanning , choose how often to run , when to run , at the end choose the profile you have just created)
     
  6. duijv023

    duijv023 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    230
    Location:
    Rijnsburg, Netherlands
    Microsoft Windows Server 2003 SmallBusiness edition is the platform we are talking about.
    But within server 2003 smallbusiness Edition Exchange is running (just for the record)
     
  7. ASpace

    ASpace Guest

    Ok . Thanks.

    Then you exclude these directories in AMON:
    %ProgramFiles%\Exchsrvr
    %SystemRoot%\System32\Inetsrv

    Have XMON enabled

    + create an on-demand scanner task to manually scan desired folders more regularly.
     
  8. duijv023

    duijv023 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    230
    Location:
    Rijnsburg, Netherlands
    OK thanks,
    this is indeed how it is configured :thumb: ,
    so that part is OK!

    greetings from Holland
     
  9. ASpace

    ASpace Guest

    You are welcome !

    Greetings from sunny Bulgaria! :D :thumb:
     
Thread Status:
Not open for further replies.