12-11-2015 06:40 AM
We are running EV 10.0.3.1090 and Symantec Endpoint Protection 12.1.4013.4013. I had recently created a new email Vault Store and forgot to exclude it from AV scanning. Now on the nightly scan EP is detecting viruses in the Vault store. What's concerning to me is that these files are .exe file which we have explictly blocked at our email border. I've looked through some posts here and have tried to track the email using the Vault Identifier but I believe once I restore the detected virus from Quarantine its changing the metadata on that specific file. I know the correct solution is to exempt this datastore from scanning but before I do so I'd like to at least track down the email in which these .exe files are attached. Does it make sense to set the scan to "notify only" which would not manipulate the digital signature on the file? Would I then be able to track down the offending email?
Here is a sample of the detection message;
-----------------------------------------------------------------
At least one security risk found:
Risk name: Trojan.Gen
File path: I:\Enterprise Vault Stores\JournalVS01 Ptn6\2015\11-30\6\0B6\60B6282E0AA3968FAE82C202080A9221~82~B2084124~00~1.DVSSP>>Purchase Order pdf.exe Event time: Dec 6, 2015 2:40:44 AM Database insert time: Dec 6, 2015 2:42:44 AM
Source: Scheduled Scan
Description: ""
User: SYSTEM
-------------------------------------------------------------------
Thanks,
Shane
12-11-2015 10:43 AM
As best practice you are supposed to exclude vault stores in the AV scanning.
List of exclusions here: https://www.veritas.com/support/en_US/article.000032085
12-11-2015 10:47 AM
SMack you're going to cause ALL sorts of problems if you virus scan the partition data.
12-11-2015 02:25 PM
If it really is a virus message you might want to figure out why it isn't be captured before it gets to the journal mailbox....
12-15-2015 04:59 AM
The .exe file is in the dvssp file as a shareable part. Please exclude partitions first, as the others also say. You will run into major headaches if you scan (and let it quarentine..) It is found due to it being in the dvssp, not because it is stored as an. exe (like an exe in a cabfile to be very simplistic)
01-22-2016 08:57 AM
Just to clarify GertjanA, these files were not originally .exe files? My concern was that i have a filter on my edge devices that is supposed to block these .exe files. Does Enterprise Vault manipulate attachments and store that as .exe files.
Thanks,
Shane
01-26-2016 05:01 AM
No it doesn't.
01-26-2016 05:48 AM
Thanks for clarifying Rob. Here's my concern, somehow these viruses are making it into the EV data stores. I am trying to track down the origins of the message but I'm not able to do so if scanning is turned off on the vault stores. I've disabled scanning for now. Just wondering if there is a better approach to trying to track these files down.
Thanks,
Shane