cancel
Showing results for 
Search instead for 
Did you mean: 

Virus detected on EV server

patriot3w
Level 5
Partner Accredited

 

Where below virus came from? From the emails we archived? We have SMG/SEP in place.

Thanks. 

C:\Documents and Settings\evsvc\Local Settings\Temp\EV_CVT_Temp_1\FAX_281290192982.pdf.exe

C:\Documents and Settings\evsvc\Local Settings\Temp\EV_CVT_Temp_2\Employment 2013.pdf.exe

C:\Documents and Settings\evsvc\Local Settings\Temp\EV_CVT_Temp_1\Secure_Message.pdf.exe

C:\Documents and Settings\evsvc\Local Settings\Temp\EV_CVT_Temp_1\Encrypted_Message.pdf.exe

C:\Documents and Settings\evsvc\Local Settings\Temp\EV_CVT_Temp_1\IncomingFax.exe

C:\Documents and Settings\evsvc\Local Settings\Temp\EV_CVT_Temp_1\Recent Acivity.exe

 

1 ACCEPTED SOLUTION

Accepted Solutions

GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

To answer the question, yes, this is from emails you archived.

the temp location indicated (EV_CVT_TEMP) is (as far as I recall) a temp location for the converter of EV (to convert attachments to HTML or TXT).

especially the 1st 4 (pdf.exe) seem to indicate a possible suspected item.

What action did you AV take on those? Did that cause issues on EV?

I am not sure on how to progress. I would personally make double sure the storage location of EV is NOT scanned, as for the indexlocation also NOT scanned. When the items are stored in EV, they can still have the virus. They will sit in the archives. When items are being retrieved, they should either be catched at the Exchange level, or on the workstation (when the item is opened in/from Outlook). When the items are in EV, they cannot execute themselves.

When the items are being cleaned/quarentined from that temp location, make sure there are no issues with EV continuing to archive normally.

You might also want to open a support case, just to be sure what to do.

Regards. Gertjan

View solution in original post

3 REPLIES 3

pete_4u2002
Level 5
Employee Accredited
temp location is one of the location where threat resides. I hope you trying to say that SEP has detcted the threat. Scan the system in safe mode.

GertjanA
Moderator
Moderator
Partner    VIP    Accredited Certified

To answer the question, yes, this is from emails you archived.

the temp location indicated (EV_CVT_TEMP) is (as far as I recall) a temp location for the converter of EV (to convert attachments to HTML or TXT).

especially the 1st 4 (pdf.exe) seem to indicate a possible suspected item.

What action did you AV take on those? Did that cause issues on EV?

I am not sure on how to progress. I would personally make double sure the storage location of EV is NOT scanned, as for the indexlocation also NOT scanned. When the items are stored in EV, they can still have the virus. They will sit in the archives. When items are being retrieved, they should either be catched at the Exchange level, or on the workstation (when the item is opened in/from Outlook). When the items are in EV, they cannot execute themselves.

When the items are being cleaned/quarentined from that temp location, make sure there are no issues with EV continuing to archive normally.

You might also want to open a support case, just to be sure what to do.

Regards. Gertjan

ia01
Level 6
Partner Accredited

You should set Antivirus exclusion for EV Temp folder

Have a look at the following technote

Recommended list of antivirus exclusions for Symantec Enterprise Vault

http://www.symantec.com/business/support/index?page=content&id=TECH48856