Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AlertManger generates every sec 20-30 alerts ...

Status
Not open for further replies.
RusherIT

RusherIT

Technical User
Joined
Aug 12, 2003
Messages
2
Location
BE
Hi,

I hope someone can help me or point me to a place where to look to solve my problem.

I'm running Groupshield 5.2 and Virusscan 7.0 on a SBS2000 server.
There where some virusses on some mailboxes and notifications where send and mails that could not be cleaned where quarantined. All working fine but ...

When I look in the eventviewer I see under the Application Log every second about 20 - 30 alerts coming in from different virusses.

e.g.:
Alert Manager Event Log Alert:

The file false.bat is infected with W32/Klez.h@MM. Detected with Scan Engine 4.1.60 DAT version 4.1.4284.(from <name server> IP <ip-server> user SYSTEM running GroupShield 5.20.664.0 AVExch32)

And when I look in the Group Shield Event Log I see the same message:


Event Log

Component Title Description

c:\progra ...\AVExch32.exe On Access - Virus Found <W32/Yaha.g@MM> found. Cleaned No. Deleted No. Quarantined Yes. Blocked No.


No comes my question: where is this coming from ? I cleaned my quarantine and there's nothing in it.
It says On Access so it are no external mails who are coming in because then it should be Blocked.
How can I find where this is coming from are what this is causing.
Turning of the Virusscan On-Access don't help either (I even excluded the quarantine folder and the exchange folder was excluded by the installation self)

Hope someone has a hint or solution for my problem.

Thnkx
 
Sort by date Sort by votes
FYI,

found on a newsgroup post a similar post.
What you should do is in case you have any problems with this :

Stop Netshield Service
Clean up the quarantine folder (and working folder)
I cleaned up the event log database as well but don't think
that's needed.
(cleanup = delete files not folders)
Start Netshield Service again and my problem was gone.

Hope I can help someone with this .nfo

 
Upvote 0 Downvote
I have this problem too, it generates thousands of alerts, almost 1 a second, have stopped the messenger service, In groupshield it says its quarantined the virus but the quarantine folder is empty so there is nothing to clean. Thanks for any help on this matter.

Application popup: Messenger Service : Message from BHSPEN-SVR01 to BHSPEN-SVR01 on 23/09/2003 11:15:15

The file patch611.exe is infected with New Worm. Detected with Scan Engine 4.1.60 DAT version 4.1.4192.(from BHSPEN-SVR01 IP 195.207.229.250 user SYSTEM running GroupShield 5.20.664.0 AVExch32) virus
 
Upvote 0 Downvote
re: multiple Klez massages per second

Also, you need to update your scan engine to 4.2.60

I had a similar problem with Klez. Found that many of the messages were caused by on access scanner catching the virus coming in via network shares. Also found that I was getting a &quot;multiple log&quot; in that I would get a message informing me that the file was infected. Then would get another message informing me that the file was cleaned or deleted. In the event that the file could not be cleaned or deleted, I would get yet another message informing me that the file had been quarantined. To make matters worse, I had taken out the quarantine folder exclusion, so the files were being scanned again once they were moved to the quarantine folder. This problem persisted until I (a - manually deleted the files in quarantine via command line (b - was able to deploy and control VScan on most of the machines in the domain to stop the network jumping characteristic of Klez.

999DOM999 - If yours wasn't a typo, you need to upgrade your scan engine to 4.2.60. The patch611.exe New Worm that McAfee is detecting is w32/swen@mm. I submitted a sample of the &quot;New Worm&quot; detected on our Exchange server this morning and received the following response:

&quot;Attached is a file for extra detection, which will be included in a future DAT set. We have detected a virus or trojan that can only be detected and removed with the
attached EXTRA.DAT and current scan engine.&quot;

They included an &quot;extra.dat&quot; file that I checked in to my ePO repository and that was that.

Hope some of this makes sense and helps. :)
 
Upvote 0 Downvote
not only should you delete the file, you should also load hotfix2 or sp1 for groupshield.

FatesWebb

if you do what I suggested it is not my fault...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

gbayi_omo
  • Locked
  • Question Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
331
gbayi_omo
gbayi_omo
abhi21
  • Locked
  • Question Question
Interesting article on Cyber Security
Replies
0
Views
268
abhi21
abhi21
TheFireman2
  • Locked
  • Question Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
538
hairlessupportmonkey
hairlessupportmonkey
texwiz
  • Locked
  • Question Question
need some help to properly set up, segregate and secure a network with an ASA 5505
Replies
2
Views
419
texwiz
texwiz
TierOneTech
  • Locked
  • Question Question
TZ105 - can I define a second WAN interface for failover?
Replies
1
Views
313
jcarmichael1203
jcarmichael1203

Part and Inventory Search

Sponsor

Back
Top