05-13-2013 02:45 AM
Hi there,
our virus scanner detected an infected file in one of the EV_CVT_Temp_ folders. This file was moved immidiately to the quarantine by the scanner software. If I am correct these CVT_Temp folders are used for archiving as well for manual archiving.
My question is if I have any chance to find out who of our users has archived this infected file? I checked all available EV logs but could not find any username or file.
Is there propably a chance to find out something in the EV DBs? Unfortunately we are not using Journaling.
EV version is 10.01 and we are running Exchange 2010.
Regards
Solved! Go to Solution.
05-13-2013 04:40 AM
Okay that's a super-generic detection, as I said, it's not a virus. I'd bet good money on it.
Where is that folder located? The full path I mean.
05-13-2013 04:03 AM
First of all, which folder *exactly* is it you are referring to?
Secondly, chances are it's NOT an infected file, but shows 'signatures' that are similar to a virus, but really, they're not.. antivirus gets confused. This technote might help:
http://www.symantec.com/business/support/index?page=content&id=TECH48856
05-13-2013 04:19 AM
Hi,
thanks for reply. We are using Symantec Endpoint Protection and it detected the file as a Trojan.Gen
It is folder EV_CVT_Temp_2.
Regards
05-13-2013 04:40 AM
Okay that's a super-generic detection, as I said, it's not a virus. I'd bet good money on it.
Where is that folder located? The full path I mean.
05-13-2013 04:56 AM
The Full path is: C:\Users\evltadmin\AppData\Local\Temp\EV_CVT_Temp_2
05-13-2013 05:11 AM
Okay, well %temp% for the Vault Service Account should be excluded from AV scanning.
05-13-2013 05:27 AM
I just done this already.
Many Thanks
Regards,
Contonso
05-13-2013 05:35 AM
Glad to help.