5 Replies Latest reply on Nov 6, 2012 12:03 PM by peelerd

    Started getting spammed with lots of Critical Alerts with Virus Found

      Hello,

       

      We are running Email Gateway (IronMail) Version 6.7.2  and normally we would only see alerts of viruses found once or twice every few days.  But lately we have been getting spammed with viruses found messages 20-30 times a day.  It's a little concerning to see the sudden jump in notifications.  Is this something I should be worried about or something I should be doing to bring these alerts back down to what was normal before?

       

      Thanks,

       

      Dave

        • 1. Re: Started getting spammed with lots of Critical Alerts with Virus Found
          bwemailsupport1

          If you don't want the Alerts from the IronMail you can disable them -- but I wouldn't.

           

           

          I think the fact that you are getting these alerts, is showing that the Antivirus on the IronMail, is doing its job!

          • 2. Re: Started getting spammed with lots of Critical Alerts with Virus Found

            Thank you for the reply and I do hear where you are coming from.  However, the issue is for the past 8+ years the normal for us has been a few at most every few days.  There has been a rampant increase in what seems overnight.  I don't want to disable the alerts at all.  I am just curious to find out why they sudden increase which is very odd.

             

            Thanks.

            • 3. Re: Started getting spammed with lots of Critical Alerts with Virus Found

              We also got flooded with these alerts recently. Talked with the support rep and they weren't able to shed any light on this. Anyone from McAfee listening to this thread?

              • 4. Re: Started getting spammed with lots of Critical Alerts with Virus Found
                ijahnke

                I would love to give you an answer, but unfortunately I have no information. A possible culprit could be an uptick in e-card spam, do you have any examples of the alerts or logs that show which virus it's triggering on?

                • 5. Re: Started getting spammed with lots of Critical Alerts with Virus Found

                  Yesterday I have the following alerts each one appearing approximately 10 times each.

                   

                   

                  Host: localhost

                  Service: avq

                  Cause: 'VIRUS-FOUND'

                  Info: Virus Engine: Authentium Engine, Virus Name:W32/Trojan3.EFB

                   

                   

                  Host: localhost

                  Service: avq

                  Cause: 'VIRUS-FOUND'

                  Info: Virus Engine: Authentium Engine, VirusName: W32/Trojan3.EFC

                   

                   

                  Host: localhost

                  Service: avq

                  Cause: 'VIRUS-FOUND'

                  Info: Virus Engine: Authentium Engine, Virus Name:JS/Redir.JP

                   

                   

                  I'm not sure which log specifically I should be looking at on the IronMail appliance but for the last alert matches up with this timestamp on the following exceprt in the Alert Manager logs....

                   

                   

                  AlertSpinner:104632:11052012 13:07:26:No. of alerts in alertList: 1

                  AlertSpinner:104632:11052012 13:07:26:Creating Channel Object for alert <5408159>

                  104632:1:1:11052012 13:07:26:Alert ID: <5408159> From: <localhost>

                  104632:1:1:11052012 13:07:26:Class Type - <3:3>

                  104632:1:1:11052012 13:07:26:Alert Mode: <1> Format: <[['xxxx', ['xxxx@xxxx']]]>

                  104632:1:1:11052012 13:07:26:Connecting to <BindHost:ConnectHost:ConnectPort> - <None:xxxx:25>

                  AlertSpinner:104632:11052012 13:07:26:Waiting Round of 1 threads

                  AlertSpinner:104632:11052012 13:07:26:Ending Spinner thread.

                  ALERT:11052012 13:07:26:Ending   Spin Run #104632

                  ALERT:11052012 13:07:26:Sleeping       Run #104633

                  104632:1:1:11052012 13:07:26:Alert successfully sent to <['xxxx@xxxx']>.

                  104632:1:1:11052012 13:07:26:Channel thread Ended for Alert <5408159>