RE: Exchange 2007 SCR replication logs infected with trojan
Thanks to both Mike Dan. Will look into the suggestions. From: Dan Cooper [mailto:d...@180amsterdam.com] Sent: Wednesday, August 18, 2010 4:21 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 SCR replication logs infected with trojan Maybe the SCR target event log was generating errors on 1 particular log precisely because you have scanning enabled on the log files folder, the and the AV software was not allowing exchange to process the file correctly...maybe. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: woensdag 18 augustus 2010 14:42 To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 SCR replication logs infected with trojan The long and the short of it is - you can't. You also can't be certain that, even now, the log is actually infected. It's very common for things like this to be false positives. Generally speaking you want perimeter scanning (i.e., scanning of incoming and outgoing e-mail in your DMZ) and you want desktop scanning (to ensure that your e-mail submitters aren't submitting malware to Exchange). It used to be that we also would recommend store/transport level scanning; but that's no longer considered a best practice. The bigger an Exchange database gets, the more challenging that is to do performantly. The real question to consider is this: ok, you have an email with a Trojan sitting in your mailbox database. That means it will exist in a at least two places - a log file and the database itself. If you have an CR technology, it'll also exist in another log file and database on the target machine. What can that Trojan do? The answer is: nothing. Absolutely nothing. If a user happens to activate the Trojan, it can conceivably impact the user's workstation. But the AV on the workstation should catch it. If you want it gone from the store so that a user never has a chance to activate it - you have to do store level scanning. And that typically is an add-on package from an AV vendor. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Liby Philip Mathew [mailto:lmat...@path-solutions.com] Sent: Wednesday, August 18, 2010 7:50 AM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 SCR replication logs infected with trojan Thanks Mike, My SCR target event log was generating errors on 1 particular log. So I went to the source and scanned that particular log file with McAfee without cleaning/repairing option and it detected the Trojan. I have followed the link long back and excluded the required files from scanning. I'll go thru it once again. But how can I make sure that the logs or DB's are not infected with Trojans or virus. TIA Liby From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, August 18, 2010 2:34 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 SCR replication logs infected with trojan You should not be scanning the log files. Ever. Exclude that directory and remove all the log files from quarantine, restoring them to their original location. See http://theessentialexchange.com/blogs/michael/archive/2010/06/16/antivirus-exclusions-and-windows.aspx and the articles linked from that article, especially http://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Liby Philip Mathew [mailto:lmat...@path-solutions.com] Sent: Wednesday, August 18, 2010 6:24 AM To: MS-Exchange Admin Issues Subject: Exchange 2007 SCR replication logs infected with trojan Hi, I have a SCR replication log file infected with a Trojan which is not replicating to the SCR target. McAfee identified it as a JS/Redirector.z on the source. How can I get rid of this Trojan without deleting the log so that the SCR replication will continue? How can I avoid future infection to the logs? Regards Liby Disclaimer [The information contained in this e-mail message and any attached files are confidential information and intended solely for the use of the individual or entity to whom they are addressed. This transmission may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you have received this e-mail in error, please notify the sender immediately and delete all copies. If you are not the intended recipient, any disclosure, copying, distribution, or use of the information contained herein is STRICTLY PROHIBITED. Path Solutions accepts no responsibility for any errors, omissions, computer viruses and other defects.] DISCLAIMER 18-8-2010 15:20:41 This communication is intended only for use by MS-Exchange Admin Issues. It may contain confidential or privileged information. If you receive this communication unintentionally, please inform us immediately. Thank you. 180 has registered companies in the United States and in the Netherlands. 180 Los Angeles LLC . (180) 1733
RE: Exchange 2007 SCR replication logs infected with trojan
You should not be scanning the log files. Ever. Exclude that directory and remove all the log files from quarantine, restoring them to their original location. See http://theessentialexchange.com/blogs/michael/archive/2010/06/16/antivirus-exclusions-and-windows.aspx and the articles linked from that article, especially http://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Liby Philip Mathew [mailto:lmat...@path-solutions.com] Sent: Wednesday, August 18, 2010 6:24 AM To: MS-Exchange Admin Issues Subject: Exchange 2007 SCR replication logs infected with trojan Hi, I have a SCR replication log file infected with a Trojan which is not replicating to the SCR target. McAfee identified it as a JS/Redirector.z on the source. How can I get rid of this Trojan without deleting the log so that the SCR replication will continue? How can I avoid future infection to the logs? Regards Liby Disclaimer [The information contained in this e-mail message and any attached files are confidential information and intended solely for the use of the individual or entity to whom they are addressed. This transmission may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you have received this e-mail in error, please notify the sender immediately and delete all copies. If you are not the intended recipient, any disclosure, copying, distribution, or use of the information contained herein is STRICTLY PROHIBITED. Path Solutions accepts no responsibility for any errors, omissions, computer viruses and other defects.]
RE: Exchange 2007 SCR replication logs infected with trojan
Thanks Mike, My SCR target event log was generating errors on 1 particular log. So I went to the source and scanned that particular log file with McAfee without cleaning/repairing option and it detected the Trojan. I have followed the link long back and excluded the required files from scanning. I'll go thru it once again. But how can I make sure that the logs or DB's are not infected with Trojans or virus. TIA Liby From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, August 18, 2010 2:34 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 SCR replication logs infected with trojan You should not be scanning the log files. Ever. Exclude that directory and remove all the log files from quarantine, restoring them to their original location. See http://theessentialexchange.com/blogs/michael/archive/2010/06/16/antivirus-exclusions-and-windows.aspx and the articles linked from that article, especially http://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Liby Philip Mathew [mailto:lmat...@path-solutions.com] Sent: Wednesday, August 18, 2010 6:24 AM To: MS-Exchange Admin Issues Subject: Exchange 2007 SCR replication logs infected with trojan Hi, I have a SCR replication log file infected with a Trojan which is not replicating to the SCR target. McAfee identified it as a JS/Redirector.z on the source. How can I get rid of this Trojan without deleting the log so that the SCR replication will continue? How can I avoid future infection to the logs? Regards Liby Disclaimer [The information contained in this e-mail message and any attached files are confidential information and intended solely for the use of the individual or entity to whom they are addressed. This transmission may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you have received this e-mail in error, please notify the sender immediately and delete all copies. If you are not the intended recipient, any disclosure, copying, distribution, or use of the information contained herein is STRICTLY PROHIBITED. Path Solutions accepts no responsibility for any errors, omissions, computer viruses and other defects.]
RE: Exchange 2007 SCR replication logs infected with trojan
The long and the short of it is - you can't. You also can't be certain that, even now, the log is actually infected. It's very common for things like this to be false positives. Generally speaking you want perimeter scanning (i.e., scanning of incoming and outgoing e-mail in your DMZ) and you want desktop scanning (to ensure that your e-mail submitters aren't submitting malware to Exchange). It used to be that we also would recommend store/transport level scanning; but that's no longer considered a best practice. The bigger an Exchange database gets, the more challenging that is to do performantly. The real question to consider is this: ok, you have an email with a Trojan sitting in your mailbox database. That means it will exist in a at least two places - a log file and the database itself. If you have an CR technology, it'll also exist in another log file and database on the target machine. What can that Trojan do? The answer is: nothing. Absolutely nothing. If a user happens to activate the Trojan, it can conceivably impact the user's workstation. But the AV on the workstation should catch it. If you want it gone from the store so that a user never has a chance to activate it - you have to do store level scanning. And that typically is an add-on package from an AV vendor. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Liby Philip Mathew [mailto:lmat...@path-solutions.com] Sent: Wednesday, August 18, 2010 7:50 AM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 SCR replication logs infected with trojan Thanks Mike, My SCR target event log was generating errors on 1 particular log. So I went to the source and scanned that particular log file with McAfee without cleaning/repairing option and it detected the Trojan. I have followed the link long back and excluded the required files from scanning. I'll go thru it once again. But how can I make sure that the logs or DB's are not infected with Trojans or virus. TIA Liby From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, August 18, 2010 2:34 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 SCR replication logs infected with trojan You should not be scanning the log files. Ever. Exclude that directory and remove all the log files from quarantine, restoring them to their original location. See http://theessentialexchange.com/blogs/michael/archive/2010/06/16/antivirus-exclusions-and-windows.aspx and the articles linked from that article, especially http://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Liby Philip Mathew [mailto:lmat...@path-solutions.com] Sent: Wednesday, August 18, 2010 6:24 AM To: MS-Exchange Admin Issues Subject: Exchange 2007 SCR replication logs infected with trojan Hi, I have a SCR replication log file infected with a Trojan which is not replicating to the SCR target. McAfee identified it as a JS/Redirector.z on the source. How can I get rid of this Trojan without deleting the log so that the SCR replication will continue? How can I avoid future infection to the logs? Regards Liby Disclaimer [The information contained in this e-mail message and any attached files are confidential information and intended solely for the use of the individual or entity to whom they are addressed. This transmission may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you have received this e-mail in error, please notify the sender immediately and delete all copies. If you are not the intended recipient, any disclosure, copying, distribution, or use of the information contained herein is STRICTLY PROHIBITED. Path Solutions accepts no responsibility for any errors, omissions, computer viruses and other defects.]
RE: Exchange 2007 SCR replication logs infected with trojan
Maybe the SCR target event log was generating errors on 1 particular log precisely because you have scanning enabled on the log files folder, the and the AV software was not allowing exchange to process the file correctly...maybe. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: woensdag 18 augustus 2010 14:42 To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 SCR replication logs infected with trojan The long and the short of it is - you can't. You also can't be certain that, even now, the log is actually infected. It's very common for things like this to be false positives. Generally speaking you want perimeter scanning (i.e., scanning of incoming and outgoing e-mail in your DMZ) and you want desktop scanning (to ensure that your e-mail submitters aren't submitting malware to Exchange). It used to be that we also would recommend store/transport level scanning; but that's no longer considered a best practice. The bigger an Exchange database gets, the more challenging that is to do performantly. The real question to consider is this: ok, you have an email with a Trojan sitting in your mailbox database. That means it will exist in a at least two places - a log file and the database itself. If you have an CR technology, it'll also exist in another log file and database on the target machine. What can that Trojan do? The answer is: nothing. Absolutely nothing. If a user happens to activate the Trojan, it can conceivably impact the user's workstation. But the AV on the workstation should catch it. If you want it gone from the store so that a user never has a chance to activate it - you have to do store level scanning. And that typically is an add-on package from an AV vendor. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Liby Philip Mathew [mailto:lmat...@path-solutions.com] Sent: Wednesday, August 18, 2010 7:50 AM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 SCR replication logs infected with trojan Thanks Mike, My SCR target event log was generating errors on 1 particular log. So I went to the source and scanned that particular log file with McAfee without cleaning/repairing option and it detected the Trojan. I have followed the link long back and excluded the required files from scanning. I'll go thru it once again. But how can I make sure that the logs or DB's are not infected with Trojans or virus. TIA Liby From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Wednesday, August 18, 2010 2:34 PM To: MS-Exchange Admin Issues Subject: RE: Exchange 2007 SCR replication logs infected with trojan You should not be scanning the log files. Ever. Exclude that directory and remove all the log files from quarantine, restoring them to their original location. See http://theessentialexchange.com/blogs/michael/archive/2010/06/16/antivirus-exclusions-and-windows.aspx and the articles linked from that article, especially http://technet.microsoft.com/en-us/library/bb332342(EXCHG.80).aspx Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Liby Philip Mathew [mailto:lmat...@path-solutions.com] Sent: Wednesday, August 18, 2010 6:24 AM To: MS-Exchange Admin Issues Subject: Exchange 2007 SCR replication logs infected with trojan Hi, I have a SCR replication log file infected with a Trojan which is not replicating to the SCR target. McAfee identified it as a JS/Redirector.z on the source. How can I get rid of this Trojan without deleting the log so that the SCR replication will continue? How can I avoid future infection to the logs? Regards Liby Disclaimer [The information contained in this e-mail message and any attached files are confidential information and intended solely for the use of the individual or entity to whom they are addressed. This transmission may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you have received this e-mail in error, please notify the sender immediately and delete all copies. If you are not the intended recipient, any disclosure, copying, distribution, or use of the information contained herein is STRICTLY PROHIBITED. Path Solutions accepts no responsibility for any errors, omissions, computer viruses and other defects.] DISCLAIMER 18-8-2010 15:20:41 This communication is intended only for use by MS-Exchange Admin Issues. It may contain confidential or privileged information. If you receive this communication unintentionally, please inform us immediately. Thank you. 180 has registered companies in the United States and in the Netherlands. 180 Los Angeles LLC . (180) 1733 Ocean Avenue, Suite 400, Santa Monica, California 90401, is registered with the trade register in the US in Delaware under file number 4260284 and the corporation's FEIN is 20-5982098. 180 Amsterdam BV (180) Herengracht 506, 1017 CB, Amsterdam