We use eTrust InoculateIT with the Exchange option to scan all incoming mail as well as the client version on the workstations to scan all files passing in or out of the box. Our definitions caught the SoBig variant and deleted the content. Additionally, we setup the Exchange AV module to block attachment types (i.e., .scr, .pif, .bat, .vbs, etc). Bakari Allen ballen@xxxxxxxxx -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, August 27, 2003 1:02 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Critical Problem - Connection down - Please advice http://www.ISAserver.org Another option is to filter on content (if you mail server allows). Create a rule that rejects email containing "*Xame-*.pif", "*Xame=*.scr" and you won't waste valuable CPU cycles scanning something that should be found in decent email. (replace "X" with "n"; my mail server drops email with those definitions) Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Koie Smith" <ksmith@xxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, August 27, 2003 09:28 Subject: [isalist] RE: Critical Problem - Connection down - Please advice http://www.ISAserver.org We use "Symantec Antivirus Filtering for Exchange 3.0", has been running good so far if setup correctly to stop sobig.f along with Symantec 8.1 Corp Edition. Koie Smith Nex-Tek, Inc. Technical Support Team -----Original Message----- From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Wednesday, August 27, 2003 11:27 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Critical Problem - Connection down - Please advice http://www.ISAserver.org No, normal AV software DOES NOT CHECK incoming and outgoing message through Exchange. You need specific software for that. John Tolmachoff MCSE CSSA Engineer/Consultant eServices For You www.eservicesforyou.com > -----Original Message----- > From: Nabil, Ahmed [mailto:anmahmou@xxxxxxxxxx] > Sent: Tuesday, August 26, 2003 11:44 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Critical Problem - Connection down - Please advice > > http://www.ISAserver.org > > > Hi Tom, > > I downloaded the Welchia fix from the Symantec Site and I am trying to apply it in > the logon script for all users. Yesterday I found some Sobig also in the Exchange > EDB which wasn't detected by normal antivirus !!!!! > > What do you think ?? > > I am getting an error in the application log of the ISA server (userenv - Windows > can't determine the user or computer name) > > Please advice, > > Thanks alot for all of you for your help and support. > > Ahmed > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] > Sent: Wednesday, August 27, 2003 3:51 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Critical Problem - Connection down - Please > advice > > > http://www.ISAserver.org > > > Hi Ahmed, > > Sounds like the Welchia worm to me. > > HTH, > Tom > > Thomas W Shinder > www.isaserver.org/shinder > ISA Server and Beyond: http://tinyurl.com/1jq1 > Configuring ISA Server: http://tinyurl.com/1llp > > > > -----Original Message----- > From: Nabil, Ahmed [mailto:anmahmou@xxxxxxxxxx] > Sent: Monday, August 25, 2003 5:36 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Critical Problem - Connection down - Please > advice > > > http://www.ISAserver.org > > > I disconnected the local NIC (Internal) cable from the ISA server and > everything went fine. The task manager performance dropped to 2% and the > Internet is connected !!!!!!!!!!!!! > > Is that a kind of virus on the Internal LAN ?? > > Please advice, > > Ahmed > > -----Original Message----- > From: Nabil, Ahmed > Sent: Monday, August 25, 2003 9:16 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Critical Problem - Connection down - Please advice > Importance: High > > > http://www.ISAserver.org > > > Hello Everyone, > > Just to give you an overview of my ISA architecture. The ISA External > Interface NIC is connected to the Firewall which in turn is connected to > our ISP. > > The Problem is that we are not able to connect to the Internet, The > problem is for sure with the ISA, I inserted a Laptop between the ISA > and the Firewall (Bypassing the ISA) and I connected fine to the > Internet. > > Actually the connection isn't totally down, When I start to ping the ISA > external Interface from my client machine or to ping for example > www.yahoo.com I get a reply for my ping and then the Time (TTL) starts > to increase till it reach 1000ms then REQUEST TIME OUT message appear. > This happens for another 5-10 minutes then a reply once again come back > for another 2-5 minutes then TTL increase again and the same loop goes > on. > > When I check the ISA server Task manager, thats the strange part, the > Performance is 100% CPU Usage and when I check the Process, I find few > process (CSRSS, Winlogon, rdpclip, shstat, wzqkpick, hkcmd, > controldGUI.......etc) and each of them is showing 0% CPU > !!!!!!!!!!!!!!!!!! > > I tried to clear the cache several times and I restarted the computer > many times and when its up, it works fine for few minutes then the loop > starts. > > Now the CPU Usage is 100% and I don't have another choice but to restart > the ISA. > > Please advice, > > Thanks in advance for your help, > > Ahmed > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > anmahmou@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > anmahmou@xxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > johnlist@xxxxxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ksmith@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bakari.allen@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')