For roughly the past two weeks, my company has been bombarded with email attachment viruses. Previously we might have received one a month, but now we’re seeing 10-20 each day. Avast is catching them all, thankfully, but I’m getting frustrated that the notifications set up in the ADNM’s “Default Resident Task” aren’t notifying me each time. Generally I get a notification email for just one out of ten infected emails, and am not sure what I’m doing wrong.
For example, when the Session → On-Access Scanners list shows
Yesterday at 10:50:09 AM ? FILESRVR01\Mail From: “psaqybxqnb” Subj: Best episodes of Beach Sex Hotel!\tube.zip\VideoTube.com.avi.exe Infection: Win32:Trojan-gen {Other} File was successfully repaired…
I get a notification email, but for most other infected messages like
Today at 4:03:11 AM C FILESRVR01\D:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_248cc59001c91a2e00001c46.EML\tube.zip#3178128600\VideoTube.com.avi.exe Infection: Win32:Trojan-gen {Other} File was successfully moved to chest…
I never get an email. When a line displays the From and Subject lines, what does this say about the plugin that found it? Was is caught by the Exchange plugin or the SMTP plugin? I have my email address configured in the “Alerts” section of the Default Resident Task, and it works when I test it. My email address additionally appears in the “Alerts and Logs” section of the Exchange and SMTP plugins settings, and “Notify other people” is on.
Does anyone have suggestions so I can make sure I am notified every time a virus appears in the Session → On-Access Scanners list?
(Hmm, I just found something unusual. In the Default Resident Task, in the Alerts section, my alert appears in the “Used alerts” column. But if I right-click “On-Access Scanners” → Properties, my Alert here appears in the first column instead, and appears disabled. A clue?)
The Settings window appears to have the right information, but I changed the server name to its IP address, just in case. There was no From Address listed, so I fixed that. Alerts is configured properly, and the “Test” button has always worked.
Thanks for the suggestions. I’ve been talking to Avast support about this for over a week, and not getting anywhere. When configured properly, it is possible to get email warnings for ANY event appearing in Sessions → On-Access Scanners?? I’m starting to wonder. Notifications are arriving for roughly 1 out of 25 infected emails, supposedly scrubbed messages are still disappearing, and I may have found cases where Avast tries using LDAP nomenclature for email addresses when sending through SMTP. Is it just buggy below the surface? Am I expecting too much?
I finally got it working…mostly. It was a combination of two problems. Thanks for the hint about checking the SMTP setting in the Settings window. Many Windows server programs can use “hostname” to identify a server on the Intranet, but ADNM apparently isn’t one of them. We were using just FILESRVR01 for the “Server Address”. Changing this to the IP address (or probably the FQDM) got the Alerts working normally.
Secondly, with various scanners running at once, the Standard Shield, the SMTP shield, and the Exchange shield were tripping over each other. Viruses were getting caught, but being processed in a less optimal way (i.e. the notifications didn’t include email-related data like the IP address). Avast’s support suggested reading http://support.microsoft.com/default.aspx?kbid=328841 to prevent the Standard Shield from scanning certain Exchange directories. In the end, I excluded
assuming I didn’t make any typos just now. (And these locations can vary among Exchange installations.) I am currently very frustrated with Avast, since every single ADMN/Exchange installation on the planet should be using these settings, and yet they are nowhere to be found 1) in the ADMN manual, 2) on Avast’s web site, or 3) in the ADNM installer itself.
I am still having some issues, as Avast sometimes does B in response to infected emails when I tell it to do A (ie. it’s deleting messages when I want them in “Badmail” and replying to senders when I have this disabled), but incoming Trojans have been light lately, and I want to test it more before complaining again. Thanks for all the suggestions!