Fila do Exchange Server infestada

2

Atualizei recentemente a empresa para o AVG Business. Ele funciona muito bem e realmente ajuda com spam. Percebi que o nosso servidor de troca de mensagens a cada dez minutos recebe uma infecção. Duas questões:

  1. Não consigo limpar as infecções sem reiniciar, o que reduz o e-mail por cerca de 30 minutos. (inaceitável) Eu entendo que é porque os arquivos não são acessíveis, mas de onde eles vêm?

  2. Este é um BOT em nossa rede ou este e-mail de entrada?

Finalmente, devo me preocupar com isso? Eu sinto que isso pode ser um spam na nossa rede.

Scanned object                                                                          Infection                           State                           Detection time           Object type              Process 

c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\e0312449-cd97-45ea-8274-1b9f9a44e1eb  Virus found JS/Obfuscated   Moved to Virus Vault    2010-07-07 13:21:20     file    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\e0312449-cd97-45ea-8274-1b9f9a44e1eb  Virus found JS/Obfuscated   Object is inaccessible.     2010-07-07 13:38:19     file    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\e0312449-cd97-45ea-8274-1b9f9a44e1eb  Virus found JS/Obfuscated   Object is inaccessible.     2010-07-07 13:38:12     file    C:\WINDOWS\Explorer.EXE
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\e59d5870-81b2-4c56-b330-ec4e9ebbe9bc  Virus found JS/Obfuscated   Moved to Virus Vault    2010-07-07 13:21:20     file    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\ebfafd55-5a91-4786-9827-9a8dfe3b8884  Virus found JS/Obfuscated   Moved to Virus Vault    2010-07-07 13:21:20     file    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\ed35ea91-f4b3-4139-8c82-81cdc14ab6ca  Virus found JS/Dropper  Moved to Virus Vault    2010-07-07 13:21:21     file    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\ef25b8d0-c327-458f-a7db-39e0579c0398  Virus found JS/Dropper  Moved to Virus Vault    2010-07-07 13:21:21     file    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\fc76582c-f1d1-483d-8a62-910e2a10e054  Virus found JS/Obfuscated   Moved to Virus Vault    2010-07-07 13:21:21     file    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_02fe480101cb1dee00000a3b.EML     Virus found JS/Obfuscated   Reboot is required to finish the action     2010-07-07 13:21:28     file    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_02fe480101cb1dee00000a3b.EML     Virus found JS/Obfuscated   Reboot is required to finish the action     2010-07-07 12:42:31     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_02fe480101cb1dee00000a3b.EML     Virus found JS/Obfuscated   Reboot is required to finish the action     2010-07-07 13:02:46     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_02fe480101cb1dee00000a3b.EML     Virus found JS/Obfuscated   Reboot is required to finish the action     2010-07-07 12:28:30     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_02fe480101cb1dee00000a3b.EML     Virus found JS/Obfuscated   Reboot is required to finish the action     2010-07-07 13:11:20     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_02fe480101cb1dee00000a3b.EML     Virus found JS/Obfuscated   Reboot is required to finish the action     2010-07-07 13:23:44     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e3ae89401cb1ddd00006f44.EML     Virus found JS/Dropper  Reboot is required to finish the action     2010-07-07 10:04:38     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e3ae89401cb1ddd00006f44.EML     Virus found JS/Dropper  Reboot is required to finish the action     2010-07-07 10:03:33     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e3ae89401cb1ddd00006f44.EML     Virus found JS/Dropper  Infected    2010-07-07 11:44:34     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 06:56:59     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 06:25:44     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:09:52     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 07:24:49     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:45:53     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:08:35     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:32:58     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 06:16:11     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 07:15:49     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 05:06:17     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 06:06:30     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:31:44     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 05:58:31     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 07:06:32     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:30:30     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 06:07:36     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:07:13     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 07:05:25     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:05:59     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 09:42:03     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 05:48:29     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 03:14:49     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 06:47:24     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:04:39     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 02:03:15     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-07 18:03:21     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 05:28:25     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 02:11:11     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 06:36:12     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 05:37:59     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 02:21:40     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 09:52:02     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 02:32:04     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 05:16:18     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 02:53:37     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 03:33:01     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 03:03:47     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 03:24:54     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 04:26:40     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 09:43:13     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 09:31:32     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 09:00:37     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 08:51:02     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 08:31:28     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 08:23:08     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 08:22:00     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 08:12:26     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 08:03:57     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 07:54:22     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 07:45:51     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_0e50580e01cb1e20000033eb.EML     Virus found JS/Dropper  Infected    2010-07-08 07:35:51     file    C:\WINDOWS\system32\inetsrv\inetinfo.exe

ATUALIZAÇÃO: Eu não instalei corretamente o AVG Business Internet Security 9.0 no meu Windows Server 2003 R2 com o Exchange 2003. Parece que ele precisa ser adicionado / instalado na seção Servidores do aplicativo no console de administração. Alguém pode lançar alguma luz sobre como fazer isso?

** ATUALIZAÇÃO FINAL

AQUI está a resposta do AVG:)

Prezado cliente, O arquivo que você referenciou, avg_ipw_stf_all_90_839a2960.exe, é o arquivo de instalação destinado a estações de trabalho e servidores de arquivos.
O arquivo que você deve instalar em um servidor Exchange deve ser o Email Server Edition (nome de arquivo avg_msw_stf_all_90_839a2960.exe, que vem com plug-ins para verificação de plug-ins Exchange e Antispam). Faça o download e implante o seguinte arquivo no servidor Exchange para que ele seja exibido corretamente no grupo do Application Server: link **

    
por Campo 08.07.2010 / 15:59

1 resposta

3

O que você está vendo é uma mensagem recebida com vírus anexados. Estes ainda não infestaram o Exchange, eles são projetados para infestar os clientes. E parece que o AVG Business não está lidando com isso da maneira como deveria. É tratar cada arquivo como uma infecção verdadeira com uma carga útil ativa em vez de uma carga útil passiva. Isso não é compatível com o Exchange para a maior parte (também, você não menciona uma versão do Exchange).

Olhando para o AVG, o produto que deveria funcionar com o Exchange é o AVG Internet Security Business Edition 9.0. Se é isso que você está realmente executando, é necessário reconfigurá-lo para usar a varredura VSAPI em vez da varredura no nível de arquivo (página 177 do manual prático). Ou se você estiver no Exchange 2007/2010, o scanner de transporte de roteamento.

    
por 08.07.2010 / 16:16

Tags