Re: Security issue with MS Exchange and Windows 2003 Server

From: ITTester (ITTester_at_discussions.microsoft.com)
Date: 11/29/05 

Date: Mon, 28 Nov 2005 20:21:03 -0800

Thks for your reply, please see below.

"Leythos" wrote:

> In article <820A8F04-BA76-40CD-B07F-718CAB32B830@microsoft.com>,
> ITTester@discussions.microsoft.com says...
> > 1. Can hackdef or its variants infect the new mail servers by moving the
> > mailboxes?
> > 2. Can data on the moved mailboxes infect the new server - we have one
> > user's mailboxes which is infected by a virus / trojan
> >
> > Do we need to rebuilt from scratch if the above point are not safe.
> > We can't perform a anti-virus scan on the exchange db before the move as db
> > will be corrupted so it's not usefull.
> > Please advise if there any other alternative for this matter.
>
> Anything you move to the new server that COULD contain a virus (like
> your mail stores, or PST files if you exported them) could still contain
> the virus and still be executed by users at any time.

Thks for your notice. We are presently cleanup manually mailbox per mailbox
all suspected emails or attachments. however this hand job is painful and
take a lot of time. but we have no other choice.

we have put a new anti-virus which is very performance on workstation. we
have delete 2 mailboxes which are the origin of the infection.

All suspected workstation which not passed the boot scan, remote scan and
ports scan will be rebuilt from crash b4 connect back to the network.

> Why are you not running Exchange aware SMTP based AV software?

We used GFI Mailsessentials 9.0 but are small company so everything is based
on a good firewall and a good anti virus.

we are mounting a dual firewall, a dmz area with a smtp filtering server b4
good mails are send to the final exchange box. however for now my goal is
able to move safely all existing mailboxes to the new server.
  

> Why are you not removing attachments BEFORE they reach the Exchange
> store - if your firewall doesn't do this in an SMTP Proxy service, your
> Exchange SMTP session aware AV software should be able to do it.

Same reply as above.

> You can run all the malware removal tools you want, but if the malware
> is in the store you don't have much hope.
>
> If I were in your place I would do the following:
>
> Setup a new server, install Symantec Corporate Edition 10.0 and properly
> update it, then set the proper file/folder/extension exclusions based on
> MS and Symantec's recommendations, then I would install Symantec Mail
> Security 4.6 and update it, then import the mail boxes, and then run a
> manual scan on them from inside Symantec Mail Security.

I using same AV than you but version 9, but I lost confidence into this AV
as the AV couldn't detect any phishing links contained inside the mail body
or malware sites. We are infected thru malware sites and phishing links. Our
staffs do a lot of researches on the net for design purposes.

I am in the stage of doing exactly as the way you suggested but we didn't
wanted to take the chance to be infected again that why I consulted MS
communities to see if anyone have better idea than this one.

> Once that's done I would setup SMS 4.6 to remove attachments that could
> contain malware and also use it for spam filtering.

The problem is not scan after moving the mailboxes but during the move.
Please make some researches on Google about HackDef, but please be careful,
there are no cure yet against this rootkit. If you are MS engineer at
security level. you will known about

Thks again

>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me
>

Relevant Pages

  • Re: Exchange 2003 Private Store Corruption
    ... I think you're on the right track with creating a new mailbox store. ... Moving mailboxes is one option. ... Online Diagnostic Utility says "Correctable Memory Threshold Exceeded" ... get the server back up and running without the faulty memory installed. ...
    (microsoft.public.exchange.admin)
  • Re: Move Exch. 2000 Ent. to New Hardware
    ... This should help you troubleshoot the PF replication problems. ... Do you have to point the Private Info. Stores to the Public Store on ... > new server BEFORE you replicate the Public Folders from the old server to ... can I do this and then gradually move all of my mailboxes? ...
    (microsoft.public.exchange2000.setup.installation)
  • RE: is there a windows or exchange equivalent of fetchmail?
    ... SBC email account and put it on a local exchange mailbox. ... In SBS Server, we can use the POP3 Connector to ... retrieve incoming email from ISP POP3 mailboxes. ...
    (microsoft.public.windows.server.sbs)
  • Re: Problems with Outlook after Moving Mailboxes
    ... mailboxes from storage group to storage group on the same server, ... We use the Symantec AV for Exchange as well. ... If we move the mailboxes back to the old ...
    (microsoft.public.exchange.admin)
  • Re: Restoring emails from .edb & .stm files
    ... with step-by-step details on how to recover MS Exchange ... of the old server: ... MAKE SURE - YOU DO NOT CREATE MAILBOXES FOR THE USERS ON THIS SERVER ... and Public folder stores.. ...
    (microsoft.public.backoffice.smallbiz2000)