Security issue with MS Exchange and Windows 2003 Server

Discussion in 'Virus Information' started by =?Utf-8?B?SVRUZXN0ZXI=?=, Nov 28, 2005.

  1. From: "Leythos" <>

    < snip >


    I let you deal with this gentlemen Leythos.

    I believe yoy are qualified to steer him in the RIGHT direction for MS Exchange Server AV
    protection.

    ClamAV is junk, it is an "On Demand" scanner only has a library 1/5 the size of other AV
    software vendors.
    Sophie ? Never heard of it.
    Avast not a good choice at all.

    He uses a web site and Bowseing to show protection. He obviously is clueless that Browsing
    on a server is contrindicated.

    SAV for MS Echange Server is one of the best, and most often used, Excahnge Server based AV
    protection software.

    I'll also see if I can get LanWench into the discussion as she is a MS Exchange Server MVP
     
    David H. Lipman, Nov 29, 2005
    #21
    1. Advertisements

  2. =?Utf-8?B?SVRUZXN0ZXI=?=

    Leythos Guest

    It always amazes me at how things can slip through and people claim they
    were protected. In our medical facilities nothing gets through, not even
    Zip files, and most of them have run 2+ years without a compromise and
    no local onsite support. Other locations have been using the same
    methods for 10+ years and are still secure.....

    Security is the first consideration - how it impacts the business is
    second and how business processes can CHANGE to work with security
    (without weakening security) is next. In a secure network you don't make
    allowances for the Boss wanting to download MP3's.
     
    Leythos, Nov 29, 2005
    #22
    1. Advertisements

  3. Hi again,

    Thaks again for your suggestion, some of the below suggestions are very
    interesting, I will test. Please see below for my reply

    Don't forget the below point!!!
    The old network topology are very simple and weak, any genius kids could
    compromised my old network. This is a question of budget and corporate
    direction. They have give me the budget after we have compromised. I only
    here to patch and to create the new network topology based on an approved
    director plan.

    We have a cisco 506e as Firewall, no proxy, no vlan and no subnet.
    1 single server 2 Xeon 2 GHz ECC DDR-SDRAM PC1200 run windows 2003 server +
    Exchange 2003 + SAV Corporate Edition 9.02 + SAV for Exchange 3.2 (I maybe
    wrong on the version - 2.5) + DNS + WINS + DHCP + Backup Exec 9 - All in one
    server.

    However we have a huge storage 700GB as we have a huge store.

    We get compromised by a production staff that received an emails from orient
    which contained an attachment (zip) she was very curious and she have opened
    - immediately SAV have send me a notification but it's too late, she is
    infected - since this day, we have many crashed down - our smtp relay is
    fill-in a ton of spam-relay-server (we have blocked).

    I have try to scan, but hackdef was undetectable, see Darrin reply.
    I have try to remove the malware with the help of MS engineer team but
    unsuccessful, after 1 week, the last MS engineer have suggested that we crash
    and start from fresh, but in our case this solution is not acceptable.

    I didn't have the budget for GFI SEC and MS ISA so I must to move to GNU
    software, however the GNU software is only for people who known about
    otherwise stay with Windows, GNU is very confusing, too many version for same
    kernel.

    Hope the above explanation is helpful.

    get compromised
    For this point, I am very curious. I have downloaded and try the GFI sec on
    the old server, but it crashed often due to too many services running - SAV,
    SAV for Exchange, Windows mapi av 2.5 + GFI ME + GFI Sec.

    As per GFI you can not run GFI ME and Sec together with SAV as will decrease
    the performance of the server and may crash the server. see GFI site

    So please advise how you made SAV and SAV for Exchange running with GFI ME +
    Sec
    We have a full legal SAV Enterprise edition including SAV corp and SAV for
    Exchange - I didn't pay attention about SSM 4.6 - I will look

    Please advise if they have a trial version for testing purpose.
    Your above suggestion is very interesting. I will check my SAV version and
    see if I can download the trial version and I will test.
    It look likes that you never move the mailboxes between 2 server - Go to
    mailboxex manager and select one mailbox using the right click and select
    Exchange Task and you will see these 2 options.

    Regards,
     
    =?Utf-8?B?SVRUZXN0ZXI=?=, Nov 29, 2005
    #23
  4. We already figured this option, however we have 2 technical problems as below:

    1. Time consumming. we have a huge store 200GB only for 1 year - We have no
    limite of 35 mb per email. some mailbox can have upto 7gb of mails.

    2. When you burn on DVD or any media. your pst file have an archive
    attribute + read only and all rights assigned to mailbox items are erase so
    when you import back, Exchange can not access to the pst file as this is no
    more belong to the user ID.

    Please let me known how we can speed up the process
     
    =?Utf-8?B?SVRUZXN0ZXI=?=, Nov 29, 2005
    #24
  5. Gentlemen,

    Thks for your interest to me.

    You are almost right on everything.

    However, I working on an design area with IT are for them something
    unnatural. I have hard time to restrict the mail usage, the internet access
    until the last infection. I have obtained a increase for my IT budget but not
    enough for whatsoever that I wanted to buy. So please do not shoot the IT
    man.

    My design peoples will not accept either accept our IT instruction until one
    more crash. My 3 directors is a designers in fashion.

    Yes, there are security issue caused by the staffs but they hire me to patch
    and to repair the damaged - NOT TO PREVENT THE DAMAGE - this is not their
    intention.

    Sophie is a GNU AV using legally Sophos virus definition. Yes both AVs,
    clamav and Sophie is on demand only but these AV are controlled by
    Amavisd-new which is similar than GFI ME and Sec compiled together, but free.
    All incomming and outcomming mails are send to Amavisd-new first and this
    apps will instruction other apps modules as clamav, sophie, spamassassin,
    razor, pyzor, dcc, sanitizer to filter the email. They are all on demand
    sofware but they will reject any mail that not passing thru the chain.

    Yes the GNU are not easy to learn and to handle with an MS environment. but
    that the best you can have when you don't have a budget as you gentlemens.

    Avast: I am in testing period - I have 2 months to try - until now
    everything going more than well on workstation side, I can't give you my
    opion on server side yet as I am not in production stage. I will give you
    feedback after 2 months. However, I alway thing the besst security is your
    LAN user and their IT knowledge. I would like to have more time to do the
    prevention but for now I need to finish the hand dirty job before I can move
    to the education side.

    Thanks gentlemens.
     
    =?Utf-8?B?SVRUZXN0ZXI=?=, Nov 29, 2005
    #25
  6. From: "ITTester" <>

    | Gentlemen,
    |
    | Thks for your interest to me.
    |
    | You are almost right on everything.
    |
    | However, I working on an design area with IT are for them something
    | unnatural. I have hard time to restrict the mail usage, the internet access
    | until the last infection. I have obtained a increase for my IT budget but not
    | enough for whatsoever that I wanted to buy. So please do not shoot the IT
    | man.
    |
    | My design peoples will not accept either accept our IT instruction until one
    | more crash. My 3 directors is a designers in fashion.
    |
    | Yes, there are security issue caused by the staffs but they hire me to patch
    | and to repair the damaged - NOT TO PREVENT THE DAMAGE - this is not their
    | intention.
    |
    | Sophie is a GNU AV using legally Sophos virus definition. Yes both AVs,
    | clamav and Sophie is on demand only but these AV are controlled by
    | Amavisd-new which is similar than GFI ME and Sec compiled together, but free.
    | All incomming and outcomming mails are send to Amavisd-new first and this
    | apps will instruction other apps modules as clamav, sophie, spamassassin,
    | razor, pyzor, dcc, sanitizer to filter the email. They are all on demand
    | sofware but they will reject any mail that not passing thru the chain.
    |
    | Yes the GNU are not easy to learn and to handle with an MS environment. but
    | that the best you can have when you don't have a budget as you gentlemens.
    |
    | Avast: I am in testing period - I have 2 months to try - until now
    | everything going more than well on workstation side, I can't give you my
    | opion on server side yet as I am not in production stage. I will give you
    | feedback after 2 months. However, I alway thing the besst security is your
    | LAN user and their IT knowledge. I would like to have more time to do the
    | prevention but for now I need to finish the hand dirty job before I can move
    | to the education side.
    |
    | Thanks gentlemens.

    OK...

    Sophie is far better than ClamAV. At least if Sophie uses the latest Sophos AV signatures
    the library is ~115,000. However, it looks like nothing has been done with it since Jan
    '04.

    I have written something better for the in32 environement. It uses AVscanners from;
    Sophos, McAfee, Trend Micro and Kaspersky.

    McAfee alone has ~162,000 signatures Kaspersky is a little larger.

    Download MULTI_AV.EXE from the URL --
    http://www.ik-cs.com/programs/virtools/Multi_AV.exe

    To use this utility, perform the following...
    Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    Choose; Unzip
    Choose; Close

    Execute; C:\AV-CLS\StartMenu.BAT
    { or Double-click on 'Start Menu' in C:\AV-CLS }

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
    FireWall to allow it to download the needed AV vendor related files.

    C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    This will bring up the initial menu of choices and should be executed in Normal Mode.
    This way all the components can be downloaded from each AV vendor's web site.
    The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

    You can choose to go to each menu item and just download the needed files or you can
    download the files and perform a scan in Normal Mode. Once you have downloaded the files
    needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    during boot] and re-run the menu again and choose which scanner you want to run in Safe
    Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

    When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    file.


    * * * Please report back your results * * *
     
    David H. Lipman, Nov 29, 2005
    #26
  7. Thks David, I will test an give my feedback.

    Please advise if the multi_av is legal when running with other av makers
    definition.
    Please advise if I can run a remote scan
    Please advise if I can use this on servers (smtp or files server) and on xp
    pro workstation.
    How arbout the hardware requirement ?

    Regards,

     
    =?Utf-8?B?SVRUZXN0ZXI=?=, Nov 29, 2005
    #27
  8. From: "ITTester" <>

    | Thks David, I will test an give my feedback.
    |
    | Please advise if the multi_av is legal when running with other av makers
    | definition.
    | Please advise if I can run a remote scan
    | Please advise if I can use this on servers (smtp or files server) and on xp
    | pro workstation.
    | How arbout the hardware requirement ?
    |
    | Regards,

    Yes. The Multi AV Scanning Utility can co-exist with other AV applications. The ONLY caveat
    is that Avast has a known problem in falsely detecting the VBS/RedLof in Trend Micro's
    utility, sysclean.exe. In Avast it is suggested to disable the "on Access" scanner when
    using the Trend Micro module.

    Define a Remote Scan -- Network share ? Yes.

    It is NOT designed to work on a Email post office but it has the capability of scanning MIME
    files by using the McAfee module. This is more or less for clients, not servers. To work
    on a email Post Office the AV scanner must be MAPI or VIM compliant. These are command line
    scanners, they are not full blown AV applications. They will work on NT Servers and
    workstations. NT4, Win98, Win2K, WinXP, Win2003 etc.

    There is no hardware dependency. It does have a tie to Windows Management Instrumentation
    (WMI)

    Download it, install it then view the included PDF Help File.
     
    David H. Lipman, Nov 29, 2005
    #28
  9. =?Utf-8?B?SVRUZXN0ZXI=?=

    Leythos Guest

    If SAV notified you right away, then it would have blocked the malware
    from installing also. Something doesn't sound right with this story -
    you said it was detected immediately, but it still infected the
    machine....
     
    Leythos, Nov 29, 2005
    #29
  10. =?Utf-8?B?SVRUZXN0ZXI=?=

    Leythos Guest

    From the old mail server, export the users email to PST files on a
    removable USB drive (300GB drives are about $200), and then import them
    into the new server.

    http://www.petri.co.il/brick_level_backup_of_mailboxes_by_using_exmerge.
    htm

    This link should explain it well enough.
     
    Leythos, Nov 29, 2005
    #30
  11. 1. Not if you have sorted the AV on the new box (store as well as file)
    2. See above

    DB won't be corrupted, the box will be compromised.

    Looks like a plan. Move the lot over and clean the old server using that
    patented virus remover fdisk.

    Nick
    (subbing for LanWench who may be drunk according to rumours)
     
    Nick Gillott [MVP], Nov 29, 2005
    #31
  12. To clarify your meaning below.

    1. I can forward to you the wolf scan report or the last email of the last
    MS engineer that try to assist us to remove hackdef.
    2. The infected user have a visual presence of the infection / trojan > In
    her Outlook at > Options > Delegates Tab > there are a present of
    Administrator as delegate > I have try to remove the admin but alway comeback
    after close the options windows. This is mean our Exchange are infected in
    the serever not in the user's workstation.
    3. Trace of hacking use our admin pw either I try to change more than 3 time
    a day with a very strong detailed pw. Our pix config is been modified. we
    just get cisco engineer corrected by ssh remotely and pw have been given
    verbaly i/o keyboard.

    That all and if these signs are not straight to you then I don't know what
    are the signs of infections you mean.
     
    =?Utf-8?B?SVRUZXN0ZXI=?=, Nov 29, 2005
    #32
  13. Yes this is one of the solution but you didn't confirm if safe when transfer
    back to the new box.

    I already bought the hard drive.
     
    =?Utf-8?B?SVRUZXN0ZXI=?=, Nov 29, 2005
    #33
  14. Hi Nick,

    Can you be more detailled for the below. PLEASE!!!
     
    =?Utf-8?B?SVRUZXN0ZXI=?=, Nov 29, 2005
    #34
  15. Hi David,

    I will test on an rebuild machine without Avast. - I am in the stage of
    rebuilt all workstation for security reason.

    Remote scan meaning PC as SAV

    Are we legal when using many AV definition without paying for the apps?
     
    =?Utf-8?B?SVRUZXN0ZXI=?=, Nov 29, 2005
    #35
  16. From: "ITTester" <>

    | Hi David,
    |
    | I will test on an rebuild machine without Avast. - I am in the stage of
    | rebuilt all workstation for security reason.
    |
    | Remote scan meaning PC as SAV
    |
    | Are we legal when using many AV definition without paying for the apps?

    | Remote scan meaning PC as SAV

    I still don't get the question. Please fully state what you mean by remote scanning.

    Example: If PC_A has a share created tio the root of the system (such as C$) and a user on
    PC_B has full rights to that shares (such as \\PC_A\c$ ) then PC_B can do a remote scan of
    PC_A but it won't scan the Registry on files.

    As for the laegality, all files are publicly available via public FTP or HTTP servers.
    There are no passwords required and anybody could manually find and download the AV scanners
    engines and signature files. The Multi AV Scanning Tool facilitates the downloading
    extracting and execution process. Additionally it thwarts protective countermeasuers that
    malware use in self preservation as well as corrects modifications made to the OS.

    However, these corrective measures are only actual if the Multi AV tool is installed and
    used on the affected PC. If it used to scan a share or Mapped Drive then it will not make
    the corrective measures on the platform being shared, it will be done on the PC performing
    the scan.
     
    David H. Lipman, Nov 29, 2005
    #36
  17. If the machine is connected to anything, probably yes.
    If what you're dealing with is a virus/worm (as opposed to a trojan) sure.


    --
    Aloha,

    -Ben-
    Ben M. Schorr, OneNote-MVP
    Roland Schorr & Tower
    http://www.rolandschorr.com
    Microsoft OneNote FAQ: http://www.factplace.com/onenotefaq.htm

    **I apologize but I am unable to respond to direct requests for assistance.
    Please post questions and replies here in the newsgroup. Mahalo!
     
    Ben M. Schorr - MVP, Nov 30, 2005
    #37
  18. It is if you scan the contents of the PST files with a good and up-to-date
    A/V scanner. The PST files themselves aren't what gets infected; it's the
    messages inside that might be.


    --
    Aloha,

    -Ben-
    Ben M. Schorr, OneNote-MVP
    Roland Schorr & Tower
    http://www.rolandschorr.com
    Microsoft OneNote FAQ: http://www.factplace.com/onenotefaq.htm

    **I apologize but I am unable to respond to direct requests for assistance.
    Please post questions and replies here in the newsgroup. Mahalo!
     
    Ben M. Schorr - MVP, Nov 30, 2005
    #38
  19. Just copy the PST file from the DVD (or CD) back to a hard drive, remove the
    read-only attribute and it should import just fine. User ID should be
    irrelevent on a PST file. He may be confusing PST and OST files.
    He'll lose single-instance storage but at this point I don't think he has a
    lot of options.


    --
    Aloha,

    -Ben-
    Ben M. Schorr, OneNote-MVP
    Roland Schorr & Tower
    http://www.rolandschorr.com
    Microsoft OneNote FAQ: http://www.factplace.com/onenotefaq.htm

    **I apologize but I am unable to respond to direct requests for assistance.
    Please post questions and replies here in the newsgroup. Mahalo!
     
    Ben M. Schorr - MVP, Nov 30, 2005
    #39
  20. =?Utf-8?B?SVRUZXN0ZXI=?=

    Leythos Guest

    If he does the export using the EXMERGE utility it will create PST's
    with the user name, and then you can directly import them - as long as
    the user name matches - that's what I was getting at.

    Anyone should know that a DVD / CD is read-only and already know to copy
    them someplace to make them readable.
     
    Leythos, Nov 30, 2005
    #40
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.