7 Replies Latest reply: Oct 2, 2013 7:54 AM by tlange RSS

    Find internal ip sender with groupshield 7.02

    mlamothe

      Hello,

           I receive alert from groupshield that virus was remove. I block the sender on the external antispam on incomming mail but the message still get in, so the sender is probably internal.

      When i look in the incomming smtp log on exchange server i did not find anyting. An in exchange tool with search by sender or subject, also nothing. How can i use the ticket Number to have more information (ip sender, computer, user or anything else)

       

      Here is a example of the alert that i receive.

       

      McAfee GroupShield™ Alert

      McAfee GroupShield discovered a problem with the following email. See your system administrator for further information

       

      Date/Time sent: 29 sept. 2013 20:05:47
      Subject line: IMPORTANT Documents - WellsFargo
      From: xxxxx@xxxx.xxx

      To: GD_direction_stpierre
      Action taken: Nettoyé
      Reason: Antivirus
      Rule Group:
      Server: NK8-EXCH
      Task: A l'accès (VSAPI)
      Ticket Number: 2a10-5248-c05b-0001

       

      on 30/09/13 6:25:08 EDT AM
        • 1. Re: Find internal ip sender with groupshield 7.02
          Aidan

          Looks like whatever it was was cleaned in VSAPI scanning - so in master policy  for Anti-virus - you have set to attempt to clean - so therefore if you have set "If cleaning Succeeds" you can also set quarantine and/or log.  If either/both of these are set then detail will be in Detected Items View.

           

          In the "Detected Items" "Anti-Virus" or "All Items" sections you can search based on ticket number.

          On top right hand side of Detected Items view  you will also have a small box "Columns to view"

          This provides a drop down list of extra columns you can add to view to get more information. 

          • 2. Re: Find internal ip sender with groupshield 7.02
            mlamothe

            Those field give more information but not the IP sender or computer name or any way to find it.

            It seem that the message was trap before exchange process it.

            I try to download the result with groupshield but i receive message "it is not possible to download email/attachement with infected virus"

            • 3. Re: Find internal ip sender with groupshield 7.02
              Aidan

              Discovery of sender IP address is available only in later versions - MSME 7./6 and MSME 8.

               

              If you have Groupshield 7.02 + Patch1 or later then there is a DownloadInfections option like mentioned in https://community.mcafee.com/thread/60168?tstart=0

               

              For GSE though is  

              open regedit to

              hklm\software\wow6432node\mcafee\groupshield for exchange\systemstate

              create new dword called DownloadInfections

              set value to 1

              restart McAfee Groupshield for Exchange Service.

               

              Message was edited by: Aidan on 30/09/13 16:15:05 IST
              • 4. Re: Find internal ip sender with groupshield 7.02
                mlamothe

                With the key in regedit i was able to download the email but nothing interesting in the header.

                So i start upgrade from 7.02 to HF722781 and to MSME 8.0.

                I have 2 Exchange server i upgrade one. open the console on exchange, every thing seem to be ok.

                So upgrade the second one. After a while no more able to open the console on both server.

                 

                Message with traducted was " The product McAfee Security for Microsoft Exchange is not available. Try later"

                Here some errror In the event log

                 

                Event id 6 source MSExchange CmdletLogs

                Échec de la cmdlet. Cmdlet Install-TransportAgent, paramètres {Name=McAfeeTxRoutingAgent, AssemblyPath=C:\Program Files (x86)\McAfee\MSME\bin\E2007 Agents\McTxAgentX64.dll, TransportAgentFactory=McAfee.E12Agents.McTxAgent.McAfeeTxRoutingAgentFactory}.

                 

                Event id 6 source MSExchange CmdletLogs

                So if you have any sugestion. it seem to be PostgreSQL.

                 

                Échec de la cmdlet. Cmdlet New-ManagementRoleAssignment, paramètres {Name=MSMEODRights, Role=ApplicationImpersonation, User=MSMEODuser}.

                 

                Event id 6 source MSExchange CmdletLogs

                Échec de la cmdlet. Cmdlet Get-ManagementRoleAssignment, paramètres {Identity=MSMEODRights, ErrorAction=SilentlyContinue}.

                 

                Event id 6 source MSExchange CmdletLogs

                Échec de la cmdlet. Cmdlet Get-Mailbox, paramètres {Identity=MSMEODuser, ResultSize=unlimited, ErrorAction=SilentlyContinue}.

                 

                Eventid 0 Source PostgreSQL

                La description de l’ID d’événement 0 dans la source PostgreSQL est introuvable. Le composant qui a déclenché cet événement n’est pas installé sur l’ordinateur local ou l’installation est endommagée. Vous pouvez installer ou réparer le composant sur l’ordinateur local.

                Si l’événement provient d’un autre ordinateur, les informations d’affichage doivent être enregistrées avec l’événement.

                Les informations suivantes étaient incluses avec l’événement :

                ERROR: column "ipscr" of relation "store_envelopes" already exists

                CONTEXT: SQL statement "ALTER TABLE store_envelopes add column ipscr integer NOT NULL DEFAULT (-1)"

                PL/pgSQL function "upgrade_sqlscripts" line 47 at SQL statement

                STATEMENT: SELECT upgrade_sqlscripts();

                 

                Event id 0 Source PostgreSQL

                La description de l’ID d’événement 0 dans la source PostgreSQL est introuvable. Le composant qui a déclenché cet événement n’est pas installé sur l’ordinateur local ou l’installation est endommagée. Vous pouvez installer ou réparer le composant sur l’ordinateur local.

                Si l’événement provient d’un autre ordinateur, les informations d’affichage doivent être enregistrées avec l’événement.

                Les informations suivantes étaient incluses avec l’événement :

                ERROR: column "ip" of relation "gse_store_stats" already exists

                CONTEXT: SQL statement "ALTER TABLE gse_store_stats ADD COLUMN ip bigint NOT NULL default '0'"

                PL/pgSQL function "upgrade_sqlscripts" line 18 at SQL statement

                STATEMENT: SELECT upgrade_sqlscripts();

                  

                • 5. Re: Find internal ip sender with groupshield 7.02
                  Aidan

                  Its not clear what roles are on the 2 exchange servers or what version\sp exchange is E2010 at?

                  Min req is E2010 SP2 (as per Guide).

                   

                  How install was performed?

                   

                  Transport agents are required on servers hosting HUB or Edge role - this will fail on E2010 SP3 (as expected) - you need MSME8 P1 to be installed immediately to insert compatible Transport agents for SP3. 

                  (Transport agents not installed on a pure mailbox role server)

                   

                  MSMEODUser is added only on servers hosting Mailbox Role - depending on how this was deployed the msmeoduser creation may be bypassed - e.g.

                  http://kc.mcafee.com/corporate/index?page=content&id=KB77744

                  (msmeoduser would not be created on a server not hosting mailbox role)

                   

                  Postgres error 0 in a lot of instances can be ignored - but if they are accompanied by McAfee MSME McEFILEIOERROR or "Cannot writes to Database errors" it suggests there is an issue with the DB. Have a look at the following article.

                  http://kc.mcafee.com/corporate/index?page=content&id=KB73168

                   

                  Is the server ePO Managed?? Did you upgrade Policies to MSME 8 Extension??  

                  • 6. Re: Find internal ip sender with groupshield 7.02
                    mlamothe

                    Ok is is a configuration with 2 edge server and 2 exchange 2010 SP2 with CAS, MB and HUB role.

                    The problem is fix now.

                    It seem that the upgrade via ePO 4.6 fail (GSE7.0.2 to MSME8.0) . So i did a manual remove of MSME 8 on the 2 exchange and reinstall it via ePO.

                    Everything seem to be ok, console work fine, policy from epo is ok also.

                    Version is 8.0.7905.119.

                     

                    If i understand Patch 1 is only when exchange 2010 SP3 ?

                     

                    So now how to find the IP sender of virus even if cleaned ?

                    • 7. Re: Find internal ip sender with groupshield 7.02
                      tlange

                      patch1 can be applied at any time and if you aren't going to sp3 anytime soon i would get it on there now.

                       

                      since the detection happened with the vsapi you can also look at the folder column in the detected items and see which mailbox it was picked up in.  the only way to get the ip address would be to have the transport scanning pick up the infection.