We're getting slammed with a lot of sober infected emails. Our virus software is catching them, but unfortunately it (ETrust) attaches a virus report to the cleaned email and delivers it. Is there a way on the server to tell it not to delete any emails with a virusrepport.txt attachment, or maybe to search for a text phrase in the email and delete it if the phrase is present?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations sizbut on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Filtering Sober Virus emails
- Thread starter WANguy2k
- Start date
Hi,
Don't know if it is still needed, but take a look at Microsoft's tool "exmerge".
This tool is designed for exporting Exchange databases to seperate PST-files (Outlook Data Files).
By specifying the correct parameters (GUI) you could export all mails with specific subject, date range,... from the databases.
I hope this helps?
Peter
Don't know if it is still needed, but take a look at Microsoft's tool "exmerge".
This tool is designed for exporting Exchange databases to seperate PST-files (Outlook Data Files).
By specifying the correct parameters (GUI) you could export all mails with specific subject, date range,... from the databases.
I hope this helps?
Peter
- Thread starter
- #4
pdtit - Scanning the Exchange database won't work, because at that point the emails are already in the users' inboxes. And I'd have to constantly run the scans.
skialta - I'm using Brightmail, and have tried to create custom filters to mark these as spam. Doesn't seem to be working that well, probably because the text of the virus mails varies. I think my best bet is removing the email virus software from the exchange server and buying the Brightmail virus scanner. This would intercept emails before they got to Exchange.
skialta - I'm using Brightmail, and have tried to create custom filters to mark these as spam. Doesn't seem to be working that well, probably because the text of the virus mails varies. I think my best bet is removing the email virus software from the exchange server and buying the Brightmail virus scanner. This would intercept emails before they got to Exchange.
I have used the wonderful E-trust virus software in the past.
You may want to look at the problem in a different way.
It may be that you need to change the options of the 'actions' the virus software does when it detects the virus. I know that if you are on the e-mail server with the exchange option of e-trust installed upon, if you right click the e-trust icon in the tray in the bottom right, you can access the options in there specific to the e-mail scanning. There should be an option to modify the mail scanning properties. Have a look at these as you may be able to just say delete the message instead of replacing the virus with the attached infection report.
Hope this helps.
"Assumption is the mother of all f#%kups!
You may want to look at the problem in a different way.
It may be that you need to change the options of the 'actions' the virus software does when it detects the virus. I know that if you are on the e-mail server with the exchange option of e-trust installed upon, if you right click the e-trust icon in the tray in the bottom right, you can access the options in there specific to the e-mail scanning. There should be an option to modify the mail scanning properties. Have a look at these as you may be able to just say delete the message instead of replacing the virus with the attached infection report.
Hope this helps.
"Assumption is the mother of all f#%kups!
- Thread starter
- #7
Thanks for the suggestion. I called CA on this and they said there's no way around it. However, I did change the email option to delete the file rather than cure it. I'm not sure if this will make a difference, because the "file" it's referring to is the virus infected zip attachment, not the email (I think). We'll see.
Hi there,
Agree with the above. You really need a gateway solution to stop this & the many others going forward. Have you a hardware firewall in place. I have implemented a SonicWALL TZ170e (approx £600) which ships with Gateway AV/Mail Filter/Web Filter/IPS/IDS. This really does the job & has paid for itself many times over. My server AV solution (Etrust) is almost redundant as the FW has blocked over 2000 SoberU attempts since Saturday.
Something to think about?
Agree with the above. You really need a gateway solution to stop this & the many others going forward. Have you a hardware firewall in place. I have implemented a SonicWALL TZ170e (approx £600) which ships with Gateway AV/Mail Filter/Web Filter/IPS/IDS. This really does the job & has paid for itself many times over. My server AV solution (Etrust) is almost redundant as the FW has blocked over 2000 SoberU attempts since Saturday.
Something to think about?
- Thread starter
- #9
I have a PIX firewall, running Brightmail and Websense in front of the network. Unfortunately, Brightmail doesn't really scan for worms, just spam. I can create a custom filter for "Your account info is attached", but since the worm varies the text, I have to create a new filter for each variation. Next go around, I'll try the Brightmail (Symantec) antivirus product on the Brightmail server.
- Status