Trojan/Viruses coming from the IronPort Device?

Unanswered Question
Aug 24th, 2009
User Badges:

Hello, I am seeing entries on my Web Filter device showing Trojan/Virus activity coming from my IronPort device. At first I thought that perhaps I have some infected clients trying to send out malicious email so it was appearing as if it was originating from the IronPort device. However, the IronPort does not report any Outbound malicious emails.

Types of Trojan/Viruses - Adware.CoolSavings port: 4421; Trojan.Exploit.Uncat port 64000; Spyware.Exploit.Misc.MU port 3120; Trojan.Exploit.Uncat.ne.jp^M port 58025.

We run multiple layers of AV and Anti-Spyware/Malware in our environment and when we do see infectious activity on a client it gets manually scanned with 3 different tools, but typically comes up clean. My concern here is that the activity shows it is from the IronPort device so I have no way to track where it originally came from. Any ideas on:

1. How to find the origin of the infection via that appears to be from the IronPort device.

2. Is there a way to verify that the IronPort device is reporting correctly on Outbound messages?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Andrew Wurster Tue, 08/25/2009 - 18:31
User Badges:

this could be a somewhat involved case but here are some key areas of concern for you:

1 - get a sample of one or more emails that is triggering your other anti-x engines. double check received by headers and x-ironport-antivirus/antispam headers to make sure the ironport is both sending these emails and scanning as well!

2 - if you determine that #1 criteria were met, use that sample and forward it to our threat operations center or appropriate vendor (i.e. mcafee,sophos) for analysis if it is a confirmed false positive. depending on your setup, i can provide links for each.

3 - you can also take this time to run through your outbound policies for anti-spam and anti-virus and VOF and so on. double check your list of relay hosts (relay sender group in HAT) and make sure there aren't any unauthorized or infected hosts relaying traffic through the ironport.

the best way to rule out a problem with outbound reporting is to A) make sure the IronPort is at fault and B) isolate log messages or gui reports at specific time ranges which you believe to be incorrect. there are many scenarios that could cause a spam or viral message to exit your network and it may or may not involve the ESA.

i know it's a lot of info to swallow, so you may want to have a support case for this issue to assist with analysis, especially since false positives are generally time-sensitive and we want to update our rules if necessary ASAP.

happy hunting!

gjones_ironport Tue, 08/25/2009 - 20:31
User Badges:

I may need to open a ticket because I am not clear that these are email born viruses. The device that is blocking/reporting them is a 'Web Filter' so it is only looking at in/outbound HTTP(S) traffic. Not SMTP traffic. But, it is saying it is coming from the host IP assiged to the IronPort. Our Firewall didn't appear to see them either. We run AV on our Firewall, IronPort and Web Filter (as well as host machines).

Actions

This Discussion