Ant Drewery » Anti-Virus

File level AV scanning on an Exchange server

Anthony Drewery — Fri, 03 Feb 2006 14:51:46 +0000

I first started working with Exchange in 1998 and up until a couple of years ago usually avoided installing a file level real-time anti-virus scanner on a dedicated Exchange server. (The exception to this is where an Exchange server has other functions like file sharing, or is a Small Business Server.) Unfortunately with the growing number of nasties in circulation a file level (and memory resident) AV scanner has become a precautionary requirement.

If you do use file level anti-virus scanning you should exclude the databases, logs and SMTP Mailroot folders. Failure to do so could leave you with possible log/DB corruption and excessive CPU time on your AV processes. In fact, I’d recommend excluding all Exchange folders from scanning. This also applies to scheduled and manual scans.

[tags]Exchange, Anti-Virus[/tags]

Real-time Black Lists

Anthony Drewery — Tue, 13 Dec 2005 16:09:06 +0000

It’s official, I hate RBLs. For sometime I’ve tolerated and indeed used well run and respected lists like SURBL but then SURBL works differently to the rest. SURBL does not block listed hosts but rather allows you to block messages based on the URIs that they contain. It works well in conjunction with our MailSweeper servers.

The main problem with these types of service is that no one governs them. I could set one up tomorrow and list whoever I liked. Of course, you’d have to chose to use my list with your systems.

Most of these services make it fairly painless to be removed so although inconvenient it’s not the end of the world if you are listed in error, and indeed if you are an open relay then it can be a justified kick up the backside. However, there are some real cowboys out there.

Today we’ve found one of our gateways listed with such a cowboy http://www.us.sorbs.net/. I’ve scanned the box for Trojans and viruses with 2 different products and have thrown every relay test I know against it. Nada. So how did it get listed? SORBS claim that our box sent an email (not a spam, just a regular email) to one of its honey trap addresses. That’s just plain crazy. It could have been an NDR or virus notification in response to a message that spoofed the SORBS address. To make things worse SORBS want a fine to have our box de-listed. This fine is in the form of a donation which I guess gets them round any extortion charges. What a joke.

I’m even more shocked to find a company like Vodafone uses this list as part of their anti-spam measures. Their admins should be shot.

That’s my rant over for now. I need to get back to getting de-listed.

Layers of defence

Anthony Drewery — Wed, 23 Nov 2005 12:17:38 +0000

Due to the critical nature of our email usage a major virus outbreak on our Exchange servers would probably cost me my job. So to help me sleep easier at night I use layers of defence. We run one anti-virus product on our MailSweeper gateway servers and a product from a different vendor on all of our internal Exchange servers. The concept of using different products is if one vendor doesn’t have a definition available to detect a certain virus the other vendor might. This layered approach gives us a fighting chance if a virus gets past MailSweeper or hits us from the inside via a webmail service.

As additional precaution we set the automatic definition updates to be as frequent as possible and also block any executable attachments (internal & external).

Increase in virus traffic

Anthony Drewery — Wed, 23 Nov 2005 12:00:54 +0000

We saw a sharp increase in the amount of viruses caught by our MailSweeper servers yesterday, double the usual volume. Here are the top 10 viruses that we’ve caught so far this month:

1 – W32/NetSky.P@mm
2 – Email-Worm.Win32.NetSky.q
3 – Exploit.HTML.Iframe.FileDownload
4 – Email-Worm.Win32.Sober.y
5 – HTML/IFrame@expl(exact)
6 – Net-Worm.Win32.Mytob.cg
7 – Net-Worm.Win32.Mytob.c
8 – Trojan-Spy.HTML.Bayfraud.hn
9 – Email-Worm.Win32.NetSky.r
10 – Net-Worm.Win32.Mytob.ab