Quarantined files are not being forwarded to a Central Quarantine server for a corporate antivirus product when configured to do so

Article:TECH79971  |  Created: 2002-01-22  |  Updated: 2010-11-26  |  Article URL http://www.symantec.com/docs/TECH79971
Article Type
Technical Solution


Environment

Issue



You are using Norton AntiVirus for Microsoft Exchange (NAVMSE) or Symantec AntiVirus/Filtering for Microsoft Exchange 3.0 to protect your Exchange Server. You configured the corporate antivirus product to forward quarantined files to a Central Quarantine Server. However, infected files are quarantined locally and are not successfully forwarded to the Central Quarantine Server.


Solution



The Quarantine Server is not configured correctly. Examine the port number that the Quarantine Server is listening on. This port number should match the port number to which NAVMSE or Symantec AV/Filter for Microsoft Exchange is sending Quarantined files. The port number is set in the user interface for the corporate antivirus product. The following sections provide steps to change the setup of the Quarantine Server.


Note: Content violations will not be forwarded. See the Symantec Knowledge Base document Items quarantined for content or spam violations are not forwarded to central quarantine by Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange for additional information.


 

    To determine which port is being used by the Central Quarantine Server:
    1. Open Symantec System Center, right-click the Symantec Central Quarantine icon, and then click Properties.
    2. Select the General tab.
    3. Make a note of the port number that the Central Quarantine Server is listening on (for example, 2357).
    4. Convert the port number to a 4-digit hex number. To do so:
      1. Open Run and type in calc.exe and then click OK.
      2. Click View > Scientific.
      3. Make sure that Dec is selected, and then type the port number (in this example, the port is 2357).
      4. Click Hex to convert the decimal number to hexadecimal format (in this example, the hex number is 0935).
    5. Replace the first two digits with the last two digits and vice versa. For example, 0935 becomes 3509, and AABB becomes BBAA.
    6. Convert the resulting four-digit hexadecimal number back to decimal:
      1. Using the instructions above, open Calc.exe in the Scientific view.
      2. Make sure that Hex is selected, then type the four-digit hexadecimal number from step 5 (in our example, the hex number is 3509).
      3. Click Dec to convert the hexadecimal number to decimal format (in this example, the decimal number is 13577).
    7. From the Command Prompt, run the following command:

      netstat -a
    8. The netstat -a command returns a list of active connections. Check which port is open for connections (in this example, port 13577 is probably listening for connections).
    9. Configure NAVMSE or Symantec AV/Filter for Microsoft Exchange to send Quarantined files to the open port.
  • The specified port is in use by another application
    It is possible that the port you have specified is already in use by another application. Use the command in Step 7 to determine if the port is being used.
  • Firewall or router between the Exchange server and the Quarantine Server
    In order for Quarantine forwarding to function correctly with a firewall or router in place, you must open the port for quarantine on your firewall or router. Verify that the Quarantine Server is listening on the correct port by using the instructions above.
  • Name resolution (WINS/DNS) is not functioning correctly
    The Exchange server must be able to resolve the name of the Quarantine Server. Use the following steps to confirm that the Exchange server can resolve the server name:
    1. Open a Command Prompt.
    2. Confirm that the following command receives a response from the Quarantine Server:

      ping
    3. Confirm that the following command returns a valid IP Address for the Quarantine Server:

      nslookup
    4. Confirm that the following command returns a valid response from the Quarantine Server:

      nbtstat -a
    5. If any of the above steps fail, then there is a problem with name resolution. To work around this problem, configure the NAVMSE or Symantec AV/Filter for Microsoft Exchange to forward quarantined files to the IP Address of the Quarantine Server, rather than to the NetBIOS server name.
  • The file system Antivirus client on the Quarantine server is cleaning/removing the file sent to the Quarantine server   If a file system Antivirus client is installed on the Quarantine server, the client's realtime protection feature needs to not be scanning the Quarantine directory of the Quarantine Server application.



References

Readme.txt for Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange 2000
Quarantine Server listens on the incorrect TCP/IP port.



Legacy ID



2002052210134854


Article URL http://www.symantec.com/docs/TECH79971


Terms of use for this information are found in Legal Notices