Vulnerability

    NAV with Exchange

Affected

    Norton Antivirus Corporate Edition 7.01

Description

    Emmett Keyser found following.  His Exchange server has  performed
    relatively well  in the  past 6  months.   Coinciding with the ILY
    outbreak our  Exchange's Information  Store began  to die sometime
    during  the  night  -  not  exactly  at  the same time each night.
    Conversations  with   Exchange  tech   support  result   in  this:
    Microsoft's unofficial stance regarding AV software is to not  run
    it on Exchange servers  - even if it's  Exchange aware.  They  are
    apparently  having  quite   a  few  problems   with  AV   software
    renaming/deleting/setting  attributes  on  transaction  log files.
    The  symptom  is  that  the  Information  Store  is being shutdown
    non-gracefully.  A IS restart  results in all kinds of  errors but
    boils down to  the fact that  there is a  missing/corrupt log file
    to  bring  the  database  back  to  a  consistent state.  Circular
    logging is disabled.   Backups are Exchange  aware but also  don't
    occur within the time frame of the IS dying.

Solution

    Bad  things  can  happen  to  MS  Exchange  when  NAV-NT   detects
    LoveLetter.   We have  discovered that  the Exchange  file EDB.LOG
    can  contain  recognizable  LoveLetter   code,  and  if   deleted,
    "repaired" or quarantined  will take MSE  down hard.   All Desktop
    NAVs  (NAV-NT,  NAV-CE/NT,  NAV2000)  must  be  configured so that
    AutoProtect  excludes  the  Temp  directory  used  by  MSE and the
    Exchange   database   directories.     This   is   discussed    in
    KBdoc#2000050509410706   "Norton   AntiVirus   for   NT    detects
    VBS.Loveletter.worm on Exchange server".

    Be sure to  use this KB  to track all  relevant cases.   This is a
    direct result of setting AutoProtect to "ScanAllFiles", and was an
    unfortunate trade-off  of using  ScanAllFiles as  a recommended or
    default setting.

    A  similar  problem  exists  with  Eudora,  where IN.MBX (the file
    Eudora stores all  inbox email in)  can be quarantined  or deleted
    by NAV desktop, specifically when  KAK.Worm is detected.  This  is
    a major reason why NAV needs  to determine type by header and  not
    by extension.

    So, to protect  an Exchange Server  itself from getting  infected,
    don't install a mail client on  it, and never try to open  mail on
    it in any fashion.   Same for a SQL  server, but it's pretty  hard
    for a  virus to  invade a  SQL database.   If you  want to install
    software  to  assure  that  an  infected email doesn't invade your
    server, then use an AV product specifically designed for  Exchange
    Server  and  DO  NOT  allow  any  portion  of  it to scan files or
    memory.  If  you have to  scan files, stop  all Exchange Services,
    exclude  the  /exchsrvr  directories,  run  a  scan, disable to AV
    software and start the server back up.

    With the  information provided  by Emmett,  Symantec has performed
    extensive  testing  of  NAV  Corporate  Edition 7.01 for NT Server
    running  with   MS  Exchange   for  NT   simulating  hundreds   of
    connections.  Symantec recommends  configuring NAV CE not  to scan
    directories containing MSE temp files or the Exchange database.