I am, but have the exchsvr directories excluded. Actually, I have found that you need to exclude the *data directories and their subfolders, and that's all. The only time that the file level AV even rears it's head is when the mail AV quarantines a virus or blocks an attached file. The file it quarantines to is scanned by the file level AV. Makes it easy to fine blocked non-virus files... look for a file block without a corresponding file-level log entry. Then proceed carefully... Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. -----Original Message----- From: Chris McEvoy [mailto:chris@xxxxxxxxxxxxxxxxx] Sent: Monday, May 19, 2003 9:39 AM To: windows2000@xxxxxxxxxxxxx Subject: [windows2000] Re: VIRUS WARNING I hope you're not running file AV scanning on an Exchange server! > -----Original Message----- > From: Sullivan, Glenn [mailto:GSullivan@xxxxxxxxxxxxxx]=20 > Sent: Monday 19 May 2003 14:40 > To: 'windows2000@xxxxxxxxxxxxx' > Subject: [windows2000] Re: VIRUS WARNING >=20 >=20 >=20 > I suppose that some people don't control their mail servers,=20 > but for those of you that do, why would anyone allow .exe or=20 > .pif files through? >=20 > I've been blocking a whole list of attachments for a couple=20 > years (the Martin list...) and, while I do run file-level AV=20 > on the mail server, they are all caught by the attachment blocking... >=20 > Glenn Sullivan, MCSE+I MCDBA > David Clark Company Inc. >=20 >=20 > -----Original Message----- > From: Chris McEvoy [mailto:chris@xxxxxxxxxxxxxxxxx] > Sent: Monday, May 19, 2003 9:33 AM > To: windows2000@xxxxxxxxxxxxx > Subject: [windows2000] Re: VIRUS WARNING >=20 >=20 >=20 > Thanks Jim. Do you know if the latest Norton definitions can=20 > catch this one? >=20 > > -----Original Message----- > > From: Jim Kenzig [mailto:jimkenz@xxxxxxxxxxxxxx]=3D20 > > Sent: Monday 19 May 2003 14:24 > > To: thin@xxxxxxxxxxxxx; windows2000@xxxxxxxxxxxxx;=3D20 =20 > >brainstem@xxxxxxxxxxxxx > > Subject: [windows2000] VIRUS WARNING > >=3D20 > >=3D20 > >=3D20 > > If you receive an email from Support@xxxxxxxxxxxxx that has=3D20 an = > >attachment DO NOT OPEN IT! This is a virus. Delete it=3D20 =20 > immediately. =20 > >My mcaffee I updated yesterday is not catching=3D20 this one.=20 > Watch out!=20 > >Regards, Jim Kenzig =3D20 > >=3D20 > > VIRUS WARNING The Central Command(r) Emergency Virus Response=3D20 > > Team(tm) (EVRT(tm)) has received virus infection reports for = the=3D20 > > new Internet Worm/Palyh.A=3D20 > > <http://support.centralcommand.com/cgi-bin/command.cfg/php/end > > user/std_adp.p > > hp?p_refno=3D3D030518-000043>. Due to increased customer = inquires=3D20 > > and infection reports the EVRT is issuing a VIRUS ALERT. > >=3D20 > > You are receiving this news letter because you are a=3D20 > > subscriber to the Central Command Virus News mailing list. > >=3D20 > > [ EVRT(tm) Virus Warning issued for Worm/Palyh.A=3D20 > > <http://support.centralcommand.com/cgi-bin/command.cfg/php/end > > user/std_adp.p > > hp?p_refno=3D3D030518-000043> ] > >=3D20 > > Name: Worm/Palyh.A=3D20 > > <http://support.centralcommand.com/cgi-bin/command.cfg/php/end > > user/std_adp.p > > hp?p_refno=3D3D030518-000043> > > Alias: Win32.Palyh-A > > Type: Internet Worm > > Discovered: May 18, 2003 > > Size: 52.955KB > > Platform: Microsoft Windows 9x/ME/NT/2000/XP > >=3D20 > >=3D20 > > Description: > >=3D20 > > Worm/Palyh.A=3D20 > > <http://support.centralcommand.com/cgi-bin/command.cfg/php/end > user/std_adp.p > hp?p_refno=3D3D030518-000043> is an Internet worm that spreads=20 > through e-mail by using addresses it collects in the files=20 > with the following extensions, .dbx, .eml, .htm, .html, .txt,=20 > and .wab. >=20 > The worm may arrive in via email in the following format: >=20 > From: support@xxxxxxxxxxxxx > Subject: (it will contain one of the following) >=20 > - Your Password > - Screensaver > - Re: Movie > - Your details > - Approved (Ref: 38446-263) > - Re: Approved (Ref: 3394-65467) > - Cool screensaver > - Re: My details > - Re: My application > - Re: Movie >=20 > Attachment: (it will contain one of the following) >=20 > - movie28.pif > - application.pif > - ref-394755.pif > - approved.pif > - doc_details.pif > - your_details.pif > - screen_temp.pif > - screen_doc.pif > - password.pif >=20 > If executed, the worm copies itself in the \windows\=20 > directory under the filename "mscon32.exe". >=20 > So that it gets run each time a user restart their computer=20 > the following registry key gets added: >=20 > - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run > "System Tray"=3D3D"C:\\WINDOWS\\MSCON32.EXE" >=20 >=20 > = =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D= 3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3 > D=3D3D=3D3D=3D3D=3D3D=3D > =3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D > To Unsubscribe, set digest or vacation > mode or view archives use the below link. >=20 http://thethin.net/win2000list.cfm =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm