file system realtime protection seemed to switch off

[PalmStrike]

Hi, I think I have a problem here. Unfortunately I have been away and so I don't know what was done to our server while I was away, but The file system real time protection on our email server seemed to uncheck itself, and has just let so far 4 different viruses in. In the EV, all it says is W32Yaha.f clean failed, leave alone succeeded. or words to that effect.

we also have one called w32brid and a couple of others that I can't remember their names.

Has anyone had this before where Norton just switches itself off for fun?

 

[KimberTech]

http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.removal.tool.html

Download the Yaha removal tool to get the first one out.

You may need to do a recovery...

What does the log say??

Kimber

Members of Tek-Tips provide answers to questions based on the information given. For the best answers, post detailed descriptions of the issue. Use the search features of the site to see if your issue was already addressed in another thread.

 

[PalmStrike]

Yes, I have done that and plan to deal with it today, however, the mention of a recovery is slightly worrying, as I have not encountered that before. Can you point some where that might help me with this?

Thanks for your responce

Rob

 

[KimberTech]

OK Rob,

First W32.Yaha.F@mm will cause antivirus to turn off, as well as firewall processes.

It also mass mails itself....including addresses from chat programs.

As for recovery, what do you have in place for backup and recovery options?
What operating system is the server using?

I think the first step I would take is to try to find out how this worm was executed on your network, and make sure any additional copies of it are eradicated in the email boxes of your users.



Good Luck!



Members of Tek-Tips provide answers to questions based on the information given. For the best answers, post detailed descriptions of the issue. Use the search features of the site to see if your issue was already addressed in another thread.

 

[PalmStrike]

ok, the ill server is running NT4 Server, with microsoft exchange and Norton Antivirus Corporate edition.

Backup is of the Veritas Backup Exec. also running RAID 1

I have found a pattern, as it has happened again today. I beleive that NAV puts out its new definitions on a wednesday, cos every thursday, I come in and realtime protection has been turned off.

Am Going to run the removal tool today.

Am I going to have to rebuild this server from scratch based on what I have just put down here?

 

[KimberTech]

When you back up, what do you back up?
Full system?
How often?
Can you restore back to a date where you know you were clean?

Sorry so many questions, best way to give you the right answers.

Kimber

Members of Tek-Tips provide answers to questions based on the information given. For the best answers, post detailed descriptions of the issue. Use the search features of the site to see if your issue was already addressed in another thread.

 

[PalmStrike]

I do do a full backup yes, but I am not sure I could go back that far, as all this has resulted from rather a mess a few weeks back when I had to rename the information store, due to a corrupt database, I am hoping the the two aren't connected and are just coincidence. The information Store outgrew the server and drastic measures were taken.

I shall check up on that though, and get back to you.