W32.yaha.k virus on my Exchange Server HELP!!

[NooBChicken]

Hi I tried searching but couldn't find a topic that addressed this issue.

I have an Exchange 5.5 Server with the latest patches of NAV and Windows Updates. However, recently I've found that our NAV is picking up the W32.yaha.k@mm.enc virus coming from the C:\\exchsrvr\imcdata\in\DRPCJ3RW

I have scanned using NAV twice with the latest updates, and even tried to run the W32.yaha cleaning tool offered on symmantec's site but both came up saying "no virus found"

Our Exchange server also hosts an FTP service.

ANY help with this would greatly be appreciated.

 

[gupel]

Do you have NAV module for exchange or only "standard" file system NAV?
C:\exchsrvr\imcdata\in\ - that is the folder for incoming smtp messages queue. That message does contains a virus and your "file system" NAV detects it and quarantines before it could be tranformed to IS. The sender probably retransmits message few times, cousing repeating NAV warnings.
If you run NAV module for exchange, Symantec recomends to exclude exchange folders from file system NAV real time scaning. But, it's up to you.....

 

[NooBChicken]

Hi gupel,

Thank you for the info. I am running NAV module (NAV Corporate Edition) So what you are saying is that its only coming up with the virus warning because real-time scanning is finding the virus in the que?

The reason I'm uneasy about this is because I usually do not get this type of alert, most alerts come in the form of:
"NAV has detected a virus in XXXXX message" and it only allows me to push "OK". So the alert from the C:\\exchsrvr\imcdata folder caught me off guard.

Thanks for the response.

 

[Pyrowe]

if you are running the NAV for server, then tell it not to scan files in the exchange server folders, if you want to scan email coming into server, use the NAV fo exchange version. you don't need NAV for server on an exchange server, but since it is running your ftp, just tell it only to scan those certain areas...

 

[TimK01]

I have had the same problem. NAV detects the virus in an email before Exchange moves it from some file into the mailbox (I think). It cant deal with it so it stops exchange from moving it so exchange tries again, and again...

First time I disabled NAV on the server for about 10 mins, this let Exchange pass the message to the mailbox (where local NAV tidied it up)

The second time I just logged off the server which seemed to have a similar effect.

However because this happend over a weekend it blew the Event Log several times with messages and NAV took ages to open.

 

[LynnChitwood]

You should try Antigen. It is the best protection available.

 

[A15]

When it happened to me I just whent into the quarentine section of nav and deleted the file and what actually happend was that the e-mail got delited from the clients mailbox.

and there were no problems....

 

[LynnChitwood]

Thats good. We used to have NAV and it was not doing a good job so we moved to Sophos and Antigen on EMail and have not stayed late cleaning up a virus since.