Video Screencast Help

Question about attachments

Created: 13 May 2013 • Updated: 13 May 2013 | 7 comments
This issue has been solved. See solution.

Hi there,

our virus scanner detected an infected file in one of the EV_CVT_Temp_ folders. This file was moved immidiately to the quarantine by the scanner software. If I am correct these CVT_Temp folders are used for archiving as well for manual archiving.

My question is if I have any chance to find out who of our users has archived this infected file? I checked all available EV logs but could not find any username or file.

Is there propably a chance to find out something in the EV DBs? Unfortunately we are not using Journaling.

EV version is 10.01 and we are running Exchange 2010.

Regards

Operating Systems:

Comments 7 CommentsJump to latest comment

Rob.Wilcox's picture

First of all, which folder *exactly* is it you are referring to?

Secondly, chances are it's NOT an infected file, but shows 'signatures' that are similar to a virus, but really, they're not..  antivirus gets confused. This technote might help:

 

http://www.symantec.com/business/support/index?page=content&id=TECH48856

Contonso's picture

Hi,

thanks for reply. We are using Symantec Endpoint Protection and it detected the file as a Trojan.Gen

It is folder EV_CVT_Temp_2.

Regards

Rob.Wilcox's picture

Okay that's a super-generic detection, as I said, it's not a virus.  I'd bet good money on it.

Where is that folder located? The full path I mean.

SOLUTION
Contonso's picture

The Full path is: C:\Users\evltadmin\AppData\Local\Temp\EV_CVT_Temp_2

 

 

Rob.Wilcox's picture

Okay, well %temp% for the Vault Service Account should be excluded from AV scanning.

Contonso's picture

I just done this already.

Many Thanks

Regards,

Contonso