I have found with Scanmail it passes the HTML, but not the attachment. A couple of quesitons. What do you mean wrong information store version? What version SM? What version and SP are Exchange.
-----Original Message----- From: Niki Blowfield [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 8:15 AM To: Exchange Discussions Subject: RE: Klez in attached html I was unaware of HFNetcheck, I'm going to look at that now I've taken that PC off the network, and will remove it from that office when I get there tomorrow Scanmail is already set up to scan the message body (in MAPI mode? AVAPI is not available - wrong version of info store) and has successfully stopped Klez in the past by recognising attachments Should that attachment be reaching the Outlook client? Or is it a failure with IE on the client -----Original Message----- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: 21 May 2002 16:04 To: Exchange Discussions Subject: RE: Klez in attached html Run HFNetcheck on the WS. Make sure it has the appropriate patches. Setup your Scanmail to do message body scanning as well as attachment. -----Original Message----- From: Niki Blowfield [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 8:04 AM To: Exchange Discussions Subject: RE: Klez in attached html Reason I said that Jim is that this all happens at the point an identically named file is received as an attachment thru our Exch server to his Outlook client As far as I'm aware the machine is fully up to date, both the virus definitions on the exchange server and the desktop AV software, and the updates to both Windows and IE6 as reported by windowsupdate.microsoft.com Is the fauly likely to be with scanmail failing to notice the virus attachment, or a problem with the client -----Original Message----- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED]] Sent: 21 May 2002 15:43 To: Exchange Discussions Subject: RE: Klez in attached html "...Officescan flags up that there is a file in the users temp internet folder with Klez... Why wouldn't scanmail be stopping this file? I havent in the past considered that we should be blocking htm and html, but should we?" Stop and read what you just wrote Niki. Why isn't adding *.htm and *.html going to change a thing, if you add it to your e-mail scanning program? I'll tell you why...because the "attempted" infection is not coming through the e-mail system. Someone is connecting to the Internet and either getting this from an infected web site, or they are reading their private e-mail through a web browser. When this happens, the virus scanner on the desktop catches the .exe file that is masquerading as an .html file and holds it in the Temporary Internet Files folder, before it can execute. Depending on how you have your desktop AV configured, it will either quarantine the file after the person is through visiting that page, or it will delete it entirely. If you want to stop this kind of behaviour, you need to institute an AV Gateway for all your web traffic, as well as your e-mail traffic. We use NAV CE on all the servers and workstations, with the exception of the Exchange servers, where we use NAV MSE. We have Qmail on our Mail Relay server connected to the Internet. This does the initial subject type and attachment type scanning. We also use NAV AV Gateway software to scan web traffic. Jim Blunt -----Original Message----- From: Niki Blowfield [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 1:35 AM To: Exchange Discussions Subject: Klez in attached html I appreciate this is probably down to my misunderstanding of this virus, but we have one user who is being sent an html file As soon as the email is clicked on, the attachment is attempted to be opened by Outlook. Then Officescan flags up that there is a file in the users temp internet folder with Klez, and it is the same filename as the html attachment, but the html has changed to exe For instance, today he has an email with revisions1.html attached. When he selects the email, it attempts to open the attachment, and Officescan quarantines the file revisions1.exe from the temp internet folder. I thought that Klez attachments had double extensions, like revisions1.html.exe Why wouldn't scanmail be stopping this file? I havent in the past considered that we should be blocking htm and html, but should we? I've checked this PC with Officescan and Symantecs tool, and it shows no traces of Klez Thanks Nik _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
