Messaging Gateway

 View Only
  • 1.  Outbound Message With Malware. How do I find from which computer ?

    Posted Sep 04, 2013 11:48 AM
      |   view attached

    I have regurlarly messages with "Outbound Message With Malware"  See attached documents.  How do I find from which computer inside my organisation.? 

     

    There seems to be no report resuming this ...



  • 2.  RE: Outbound Message With Malware. How do I find from which computer ?

    Posted Sep 05, 2013 10:31 AM

    Typically this would be better found on the server sending the messages to Symantec Messaging Gateway unless you have the full range of internal IPs set to be able to send outbound messages though the SMG. As the normal configuration for outbound messages is you would add the IP for allowed outbound senders and that is typically just the mail server so all the outbound mail would be coming from the one source as far as the SMG is concerned, so you would need to go to that source which is typicall your mail server. 

    The Messaeg Audit log may be able to provide some helpful information by using optional filter values such as the veridcts.

     



  • 3.  RE: Outbound Message With Malware. How do I find from which computer ?

    Posted Sep 05, 2013 03:15 PM

    Set-up here is Exchange 2007 sending to the internet through SMG.  Exchange has no clue if the mail has malware or violates a rule.  I want to know which PCs violate my SMG rules.  How is exchange supposed to know that ???  Filtering is done by SMG no ??? Or my understanding is bellow what it should be ...

    So looking at capture.png  (see attached documents), you see I have two malware sent recently.  Looking at capture2.png, you see these are unscanable attachements.  Question is : Who and on which computer send these ???

    Paul Jr



  • 4.  RE: Outbound Message With Malware. How do I find from which computer ?

    Posted Sep 05, 2013 07:05 PM

    Paul Jr,

    You would want to follow the second part of BenDC's post. Go to the Status, SMTP section, and click Message Audit Logs. Set the filter to the following.

    Host: All Scanners

    Mandatory filter: Sender

    Mandatory filter value: .           (that's a period, which means anyone)

    Optional filter: Verdict

    Optional filter value: The message is unscannable

    Time Range: Week

     

    Click the Display Filtered button. Check the From column for any internal email addresses.



  • 5.  RE: Outbound Message With Malware. How do I find from which computer ?

    Posted Sep 05, 2013 11:21 PM

    OK !!!

    Thanks.  I got screwed all that time by a period ... Some messages bounced as unscanable.  I know what those messages are.  They have no attachements.  Some have Outllok Business Card.  Some are plain text.

    I'll try to figure out what makes a message unscanable tomorrow ...

    Paul Jr