Rootkits installing a SMTP engine and spreading Spam is common nowadays..It not a good idea working remotely ..as you should start the server in safe mode and run a full scan.Also try running a scan using Norton Power eraser or Malwarebytes

Your best bet is to run Malwarebytes on it

Thanks guys...Malwarebytes was my next thought after the Symantec scan (taking forever to complete)...Does not look like I can obtain support for SEP so I am uninstalling and putting something else on there that can be supported...Some bad artifacts left over from provious support provider....If necessary I can get access to the building later tonight for onsite support.

Another issue is the C drive is filling up with data from the SEP console.  I cannot yet remove the console until all computers are changed over to another product.  How can I reduce the space that symantec is eating up on the c drive.  currently this is about 30GB.

To take care of the emails sent out by a worm on this computer, you could install  SEP with Antivirus Email tools on the  computer. Also, since you have exchange installed, a mail security software, like Symantec Mail security for Microsoft exchange would be useful.

As far as the space is concerned, you could do the  following:

1. Go to /Program files/Symantec/Symantec endpoint  protection manager/Inetpub/Content folder. There you would see about 8 to 10 folders. You can open each of these folders, and delete all the contents of these folders.
2. Make sure you have RU6 MP1 version of SEPM installed.

I hope this  helps...

How do you know that you are not just an open relay?  Scanning with Power Eraser within the SEP client is faster than Malwarebytes so far I've seen.

Hi PB,

I'm with tevia-boy on this one.  If the spam mails are being sent via Exchange, chances are some spammer is taking advantage of an improperly-configured Exchange server ("Open relay.")  The infectors which send spam almost always have their own built-in SMTP program to send mail messages... they do not use MS Exchange.

Is there a program like SMSMSE (Symantec mail Security for MS Exchange) installed on that Exchange server-?

Please keep the forum up-to-date with your progress!

Thanks and best regards,

Mick

Agreed.  While it's inevitable someone's going to clue in and produce MAPI-aware malware I haven't seen any in the wild yet.  When that happens, I plan to commit suicide, but for now it's okay.

I'd temporarily block inbound SMTP, then nuke the message queues.  If it stops trying to send anything, you were an open relay.

Also, don't discount the idea of an authenticated SMTP attack.  If someone's guessed or brute-forced a username/password combination, you could be a properly secured MTA but someone's genuinely permitted to use you for relay.  I'd review all credentials for anything obvious.  Single word passwords, passwords identical to username... these are highly likely to end up exploited by auth-SMTP attacks.  Again, blocking inbound SMTP will reveal this.

Note: if you're a relay, SEP won't detect anything coming through you, even if the e-mails are viral in nature.  SEP is explicitly not supposed to scan Exchange's temporary working folders.  You need to use SMSMSE for proper Exchange-aware event-sink scanning.

The server only accepts mail from certain hosts that filter all incoming and outgoing mail.  I also restricted the server to not accept any mail from other devices on the lan in case there was an infected machine sending mail to the server internally.  Next I completely disconnected the server from the network and it continued to spew mails at an alarming rate....about  4000 every 30 seconds.  I spent hours on the phone with symantec and they would not offer any technical support becuase of an issue with the customer #.  Symantec could not offer any viable solution that would not take days to sort out so the software was promptly removed.  I made one phone call to my MSP platform vendor and they updated my endpoint protection licensing including the Exchange component and I was able to install that and Malwarebytes in less than 20 minutes.  Ran full scans with both products including a rootkit scan in less than 90 minutes (where the sep scan ran for over 5 hours, did not find anything, and ran out of time for it to complete).  I removed everything that was found by the scans, deleted 25000 files from the Exchange Queue folder, restarted the server, and everything is back to normal.