Nod32 Enterprise & Mailmarshal 2k6 Exchange

I have added the following folders to the AMON exclusion list

e:\Program Files\Marshal\MailMarshal\Quarantine
e:\Program Files\Marshal\MailMarshal\Unpacking
e:\Program Files\Marshal\MailMarshal\Queues\Decryption (MailMarshal Secure)
e:\Program Files\Marshal\MailMarshal\Queues\Incoming
e:\Program Files\Marshal\MailMarshal\Quarantine

Also check for unwanted and unsafe applications has been disabled in AMON (IMON has been disabled). However I am still having issues with NOD32 intercepting the test virus file eicar.com which is generated by Mailmarshal as a self test.

I am also having issues with nod32 locking files within e:\Program Files\Marshal\MailMarshal\Unpacking even after the exclusions have been set. Is there something I am missing here?

 

You will not be able to set exclusions to force NOD32 to ignore the virus. The purpose of the exclusion is for software compatibility. When you add the exclusions, make sure you use both the short and long path, i.e. e:\Progra~\Marshal\MailMarshal\

 

The same test is done by Kerio MS. Their manual says to disable any resident protection you might have when configuring the AV for use with KMS.

 

I have a number of sites that I manage, where I have added the long and short paths for the MailMarshal directories, and in spite of this I STILL get the eicar.com test virus being captured occasionally from subfolders in the Unpacking directory. Is NOD32 simply not seeing that the subfolders are supposed to be excluded as well?

Very frustrating, I would hope something like this was an easy thing to configure!

 

We currently have this issue on multiple sites, (nod32, exchange, mailmarshal 6.1 & 6.2-current versions)

Current & old versions of Nod32 (2.7.39, 2.70.17 xmon), with long and short file names set..

We've also tried adding a file exclusion to the eicar.com file.. it still appears to scan the folders. - What are we doing wrong?

This wouldn't be so much of an issue if it wasn't for the fact that this tends to cause MailMarshal's services to unload.

 

*Bump*

Anyone..

We have spoken with our local distro for nod32 & our area rep from eset.. Still no resolution....

 

I have been emailing NOD32 support regarding this issue, and received the following feedback:

Please disable AMON.

1. Open the NOD32 Control Center window by clicking on the white and green NOD32 icon in the System Tray.

2. Click on AMON under Threat Protection Modules. The AMON - File System Monitor window will appear.

3. In the AMON - File System Monitor window, de-select (uncheck) the File system monitor (AMON) enabled option.

Once AMON is disabled, the NOD32 icon in the System Tray will turn red.


I replied to this asking why I would want to disable the realtime scanner, why have NOD32 on the machine at all?!? I got this in reply:

Unfortunately, the exceptions options within AMON were designed towards software compatibility and not to ignore files that are threats.

The reason disabling this was suggested was because you said that Mail Marshall used the command-line scanner to scan the files. As such, this is not implementing AMON in any way. This is using the scanner program nod32.exe. Unfortunately, there is no way to add exclusions to an on-demand scan with NOD32 2.7. I apologize for the inconvenience.


I thought, "Great, that's no help." So I asked if this would be a feature in the next version, or if I could add it as a feature request, and I got this:

Yes, this is a new feature in NOD32 3.0.

So, my recommendation is to upgrade to version 3.0 to get a "fix" for this problem!

Good luck!
V