2 weeks ago - last edited 2 weeks ago
Defender for Endpoint is scanning and detecting malware on our Enterprise Vault server (Windows Server 2019, EV 14.1)
Defender detected and quarantined 'VirTool:Win32/Obfuscator.AMB' in file 'Collection69820.CAB->2015\03-18\F\099\F099004C44E1182BB4C66969414A5BF1~27~F371B949~00~1.DVSSP->DOC2015001115376112626-pdf.exe->(RarSfx)->muxtkav->AutoIT_Script->[EmbeddedEnc]'
We have been running with Defender for Endpoint for almost a year and only now it detects this on a file from 2015...
I'm wondering how to handle this? I read somewhere it is not recommended to let any antivirus run in this file location because it might wreck Enterprise Vault. But I also don't want to risk letting that malware exist.
From my knowledge there is also no way to determine which archive/user this file belongs to?
2 weeks ago
Hi,
You need to restore the CAB file from backup or quarantine and configure antivirus exclusions use this article for guide: Recommended list of antivirus exclusions for Enterprise Vault
a week ago
Follow the advise from Tonaco.
Not having the proper exclusions will do more harm than good. As for a possible threat in the cab/dvs files, keep in mind that if a user retrieves the item, it will be scanned on the location where it is opened. Provided ofcourse, the user is running an AV solution also. When a retrieved item is opened on a workstation, then the local AV should kick in, and then clean/quarantine or block the item.