Video Screencast Help

Virus detected on EV server

Created: 27 Dec 2012 • Updated: 13 Jan 2013 | 3 comments
patriot3w's picture
This issue has been solved. See solution.

Where below virus came from? From the emails we archived? We have SMG/SEP in place.


C:\Documents and Settings\evsvc\Local Settings\Temp\EV_CVT_Temp_1\FAX_281290192982.pdf.exe

C:\Documents and Settings\evsvc\Local Settings\Temp\EV_CVT_Temp_2\Employment 2013.pdf.exe

C:\Documents and Settings\evsvc\Local Settings\Temp\EV_CVT_Temp_1\Secure_Message.pdf.exe

C:\Documents and Settings\evsvc\Local Settings\Temp\EV_CVT_Temp_1\Encrypted_Message.pdf.exe

C:\Documents and Settings\evsvc\Local Settings\Temp\EV_CVT_Temp_1\IncomingFax.exe

C:\Documents and Settings\evsvc\Local Settings\Temp\EV_CVT_Temp_1\Recent Acivity.exe

Comments 3 CommentsJump to latest comment

pete_4u2002's picture

temp location is one of the location where threat resides. I hope you trying to say that SEP has detcted the threat.

Scan the system in safe mode.

GertjanA's picture

To answer the question, yes, this is from emails you archived.

the temp location indicated (EV_CVT_TEMP) is (as far as I recall) a temp location for the converter of EV (to convert attachments to HTML or TXT).

especially the 1st 4 (pdf.exe) seem to indicate a possible suspected item.

What action did you AV take on those? Did that cause issues on EV?

I am not sure on how to progress. I would personally make double sure the storage location of EV is NOT scanned, as for the indexlocation also NOT scanned. When the items are stored in EV, they can still have the virus. They will sit in the archives. When items are being retrieved, they should either be catched at the Exchange level, or on the workstation (when the item is opened in/from Outlook). When the items are in EV, they cannot execute themselves.

When the items are being cleaned/quarentined from that temp location, make sure there are no issues with EV continuing to archive normally.

You might also want to open a support case, just to be sure what to do.

Thank you, Gertjan, MCSE, MCITP,MCTS, SCS, STS

ia01's picture

You should set Antivirus exclusion for EV Temp folder

Have a look at the following technote

Recommended list of antivirus exclusions for Symantec Enterprise Vault