Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
718 Views 7 Replies Latest reply: Oct 2, 2013 7:54 AM by tlange RSS
mlamothe Newcomer 4 posts since
Sep 28, 2013
Currently Being Moderated

Sep 30, 2013 5:25 AM

Find internal ip sender with groupshield 7.02

Hello,

     I receive alert from groupshield that virus was remove. I block the sender on the external antispam on incomming mail but the message still get in, so the sender is probably internal.

When i look in the incomming smtp log on exchange server i did not find anyting. An in exchange tool with search by sender or subject, also nothing. How can i use the ticket Number to have more information (ip sender, computer, user or anything else)

 

Here is a example of the alert that i receive.

 

McAfee GroupShield™ Alert

McAfee GroupShield discovered a problem with the following email. See your system administrator for further information

 

Date/Time sent: 29 sept. 2013 20:05:47
Subject line: IMPORTANT Documents - WellsFargo
From: xxxxx@xxxx.xxx

To: GD_direction_stpierre
Action taken: Nettoyé
Reason: Antivirus
Rule Group:
Server: NK8-EXCH
Task: A l'accès (VSAPI)
Ticket Number: 2a10-5248-c05b-0001

 

on 30/09/13 6:25:08 EDT AM
  • Aidan McAfee SME 465 posts since
    Nov 4, 2009
    Currently Being Moderated
    1. Sep 30, 2013 5:45 AM (in response to mlamothe)
    Re: Find internal ip sender with groupshield 7.02

    Looks like whatever it was was cleaned in VSAPI scanning - so in master policy  for Anti-virus - you have set to attempt to clean - so therefore if you have set "If cleaning Succeeds" you can also set quarantine and/or log.  If either/both of these are set then detail will be in Detected Items View.

     

    In the "Detected Items" "Anti-Virus" or "All Items" sections you can search based on ticket number.

    On top right hand side of Detected Items view  you will also have a small box "Columns to view"

    This provides a drop down list of extra columns you can add to view to get more information. 

  • Aidan McAfee SME 465 posts since
    Nov 4, 2009
    Currently Being Moderated
    3. Sep 30, 2013 10:15 AM (in response to mlamothe)
    Re: Find internal ip sender with groupshield 7.02

    Discovery of sender IP address is available only in later versions - MSME 7./6 and MSME 8.

     

    If you have Groupshield 7.02 + Patch1 or later then there is a DownloadInfections option like mentioned in https://community.mcafee.com/thread/60168?tstart=0

     

    For GSE though is  

    open regedit to

    hklm\software\wow6432node\mcafee\groupshield for exchange\systemstate

    create new dword called DownloadInfections

    set value to 1

    restart McAfee Groupshield for Exchange Service.

     

    Message was edited by: Aidan on 30/09/13 16:15:05 IST
  • Aidan McAfee SME 465 posts since
    Nov 4, 2009
    Currently Being Moderated
    5. Oct 2, 2013 4:01 AM (in response to mlamothe)
    Re: Find internal ip sender with groupshield 7.02

    Its not clear what roles are on the 2 exchange servers or what version\sp exchange is E2010 at?

    Min req is E2010 SP2 (as per Guide).

     

    How install was performed?

     

    Transport agents are required on servers hosting HUB or Edge role - this will fail on E2010 SP3 (as expected) - you need MSME8 P1 to be installed immediately to insert compatible Transport agents for SP3. 

    (Transport agents not installed on a pure mailbox role server)

     

    MSMEODUser is added only on servers hosting Mailbox Role - depending on how this was deployed the msmeoduser creation may be bypassed - e.g.

    http://kc.mcafee.com/corporate/index?page=content&id=KB77744

    (msmeoduser would not be created on a server not hosting mailbox role)

     

    Postgres error 0 in a lot of instances can be ignored - but if they are accompanied by McAfee MSME McEFILEIOERROR or "Cannot writes to Database errors" it suggests there is an issue with the DB. Have a look at the following article.

    http://kc.mcafee.com/corporate/index?page=content&id=KB73168

     

    Is the server ePO Managed?? Did you upgrade Policies to MSME 8 Extension??  

  • tlange McAfee SME 344 posts since
    Nov 4, 2009
    Currently Being Moderated
    7. Oct 2, 2013 7:54 AM (in response to mlamothe)
    Re: Find internal ip sender with groupshield 7.02

    patch1 can be applied at any time and if you aren't going to sp3 anytime soon i would get it on there now.

     

    since the detection happened with the vsapi you can also look at the folder column in the detected items and see which mailbox it was picked up in.  the only way to get the ip address would be to have the transport scanning pick up the infection.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points