Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Exchange and Groupshield

Status
Not open for further replies.
age

age

Technical User
May 31, 2001
191
GB
Hi, we're running Exchange 5.5 Enterprise and Mcafee Total Virus Defence Group Shield, to scan all incoming and outgoing email... The scanner works great and is going mad blocking and quarantining SirCam infected attachments today :eek:) .... Trouble is, the report it gives us tells us nothing about where these emails are coming from! We get a report saying that the email has been blocked, and a message has been sent to the sender informing them that their email was infected, but it doesn't tell us who the sender was!!! Anybody know how to find this out?

Thanks...

Adrian.
 
Sort by date Sort by votes
Unfortunately you need to download and run another program provided by NAI. You can download it from their website if you have a support agreement. I believe the piece of software is called the 'resolve names utility,' and it works fairly well. However, there are some caveats to be aware of, 1- it isn't a realtime scan, you have to run the scan manually (unless you schedule it to run), 2- it looks through all folders and mailboxes on exchange, which means that it can take a long time if you have a large information store. We have about 500 recipients and it takes nearly 2.5 hours to complete, not to mention it puts a lot of stress on the box. Also depending on the virus you may not determine any relevant information. The product does work well for the most part, and its better than nothing. Hope this helps
 
Upvote 0 Downvote
I'll try and get the program, but the problem we have is with the on-access scanning - we have all attachments scanned as they enter or leave the server. Somebody (or probably several people) has us one their address books, and they have the SirCam virus, and the mass-mailer bit of that virus is mailing us random attachments from their servers..... The attachments are being blocked and quarantined ok, as they are infected, but we have no way of finding out who the attachments are from! So I need a way of finding the origin of an email live, as it gets scanned and blocked by Groupshield.......
thanks.....

Adrian.
 
Upvote 0 Downvote
Not that I ever got Group shield to work <yet> but doesn't it have an option to quarantine the mail messages? You should then be able to look at the quarantined mail messages... I'd definitely be scanning for viruses on the client side when looking at the quarantined folder.
 
Upvote 0 Downvote
Older versions (<4.5) have the option to quarantine the messages, however the older versions don't allow you to specify what to block. So it's essentially a tradeoff based on what you want to do. GS 4.5 allows you to specify what attachments you want blocked (based on filename, size, extension), the downside is that it only quarantines the attachment, not the message. I have yet to be able to find out how or where the actual message is stored, I think the messages go to the big bit bucket in the sky. The quarantine database on 4.5 quarantines the attachment, but not the whole message, and you also lose the functionality of finding any info out about the message (without the resolve names utility).
 
Upvote 0 Downvote
One more thing in regards to the sircam virus. We got around this on accident really, one of my users called saying they got the &quot;alert.txt&quot; message. When they get this it tells the user who sent them the infected file. You may want to contact some users and see if they are getting these alert.txt's as that email will include the sender info.
 
Upvote 0 Downvote
Your users are much more on the ball than ours!! We did send a mail to all users warning them and asking for their cooperation.... :eek:) ... and as bp1169 says, you get plenty of warning that there is a virus or attachment being blocked, but that's all, no details.... And I'm not convinced that all these warnings are internal anyway - all our workstations should be bang up to date on Dat files and Engine version.....! I assume that a lot of these warnings are from inbound email from other companies that have Sircam, and that correspond by email with people in our company.....

Oh well, if anybody thinks of a way around this let me know! (we've had easily over 250 emails blocked today alone thanks to Sircam).
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

A
  • Locked
  • Question
MS Exchange Setup
Replies
0
Views
256
andreegington
A
PatrickRoggers
  • Locked
  • Helpful tip
Safest Way to Import PST file into Exchange Online
Replies
0
Views
3K
PatrickRoggers
PatrickRoggers
T
  • Locked
  • Question
How to use third party mail security gateway to scan internal/inter-domain mails in Exchange On-Premise?
Replies
3
Views
2K
DrB0b
DrB0b
ComputersUnlimited
  • Locked
  • Question
Migrating to Exchange 2019
Replies
0
Views
2K
ComputersUnlimited
ComputersUnlimited
Brent Fletcher
  • Locked
  • Question
Exchange rule to remove &quot;✉&quot; icon when it appears in a subject title from a supplier
Replies
0
Views
2K
Brent Fletcher
Brent Fletcher

Part and Inventory Search

Sponsor

Back
Top