Norton Realtime File System Protection Disables Automatically

[ichunaw]

This is a problem that I've been having for a little while. Exchange 5.5 crashes and the Server becomes unavailable about once every couple of days. When you check the computer running Exchange, you see that Norton's Realtime File System Protection is disabled and you cannot enable it. This is always the case.

I excluded the Exchange directories from Norton's scan and this seemed to work for about a week. But the problem has resurfaced. When this error happens, you cannot access the Control Panel and Norton also doesnt start a scan.

A few months ago, the Exchange server computer was infected with the Netsky and Welchia viruses. I did remove the viruses from the system. (I think) Could they be a reason for this problem. Exchange started crashing after these viruses were received.

Can anybody help me on this. I've tried to be very descriptive. Any help would be greatly appreciated. Thank you.

 

[TravTrav]

Have you checked the quarantine on NAV to see if there are any important files in there?

 

[ichunaw]

The two files that seem important are msrll.exe and lsass.exe that are in Quarantine.

The rest are just Exchange Server files that have filenames starting with L and then some random letters and numbers.

 

[TravTrav]

You might want to check out that lsass.exe Depending on its location on your computer, it may be important, or it may just be a virus. The legit lsass is the local authentication security server. It verifies user logons to your server. If it is in the system32 directory, you should try and clean the file. If its anywhere else, you should go ahead and delete it. Now on to these files with the random L names...what are their extensions, and where are they located on your server?

 

[ichunaw]

The files that start with the random L names have no extention. Two example name of the files are: LFSXXDGL and LFSXXDLL. They are all infected with the W32.Netsky.P@mm!enc virus. When I try to run the Netsky remove tool from Norton, it says that Netsky was not found on your computer.

Earlier today the server crashed once more and I checked virus histories and 4 files such as 3B35JM7C (similar names for the other 3 files) were infected with the same virus. Sometimes, Norton quarantines them and sometimes it leaves it alone.

They are all located in the E:\Exchsrvr\imcdata\in directory.

Moving on to Lsass.exe, while I was working to the server this morning, I received a message that said this: "C:\WINNT\SYSTEM32\lsass.exe has terminated unexpectedly with status code 128. The system will now shutdown and restart." The computer has been restarting like this when it wants and I'm assuming it has to do with lsass.exe being infected.

Also, I tried cleaning some other viruses according to Norton documentation and they require the computer to be restarted in safe mode. But when I try to do this, it won't let me. It will start in safe mode for like 3 seconds and then it will restart again. It's as if the safe mode has been disabled.

Thats like 10 more problems that my original post. Thank you for helping me on this. Thank you.

 

[TravTrav]

Sounds like NAV is deleting inbound messages. First, I would check and make for certain that you have your exchange folders excluded from virus scans. From what you are saying, it doesnt sound like it. As far as the virus infections, I have had similar problems with some of the removal tools. For the LSASS, I suggest you just delete the one you have and take a clean copy from another computer or from the OS cd. Another question, are you running NAV for Microsoft exchange? If you are, it should be deleting those messages, not NAV corporate edition or whatever you are running.

 

[ichunaw]

I checked and yes the Exchange folders are excluded from the Realtime Protection. However I found Realtime Protection for Exchange was enabled. I haven't diabled it yet because I'm afraid if that will let viruses run free in Exchange. And the files that I mentioned are what Norton picks up with its Defwatch Scan which is its scan that it performs on every item in Quarantine when you do a virus definitions update. It's not new viruses.

I installed the lsass patch from Microsoft and it seems to be working. The server is running allright for now. Will wait and see what happens.

 

[fuego007]

To throw my two cents into the mix, I will reiterate what TravTrav asked. Are you running Norton Antivirus for Exchange? This is a separate product from NAV CE, and will do an excellent job of protecting your mail system. Also, make sure that NAV CE has no scheduled scans, as they will scan the entire system unless you configure it so that it doesn't scan the Exchange directories. I don't use scheduled scans on our Exchange servers as I find them unnecessary. Between the realtime protection and NAVEX, I don't have any problems.

 

[ichunaw]

NAV CE has scheduled scans but I have excluded the Exchange Server directories. Also, we do not have Norton Anti Virus for Exchange running on the Exchange Server. We only have NAV Corporate Edition.

 

[TravTrav]

Well, I would suggest getting a copy of nav for exchange as soon as you can. If you continue using regular navce, I think you are going to continue to have some problems with your exchange server. See, it is clearing the viruses out of emails, but its not exactly doing it in a friendly way.