Author Topic: Avast! Server w/Exchange filtering nightmare  (Read 6637 times)

0 Members and 1 Guest are viewing this topic.

ctechsol

  • Guest
Avast! Server w/Exchange filtering nightmare
« on: August 26, 2004, 04:52:04 PM »
This has been a week from hell. I highly recommended this product to a customer of mine and have installed it on the servers and workstations a couple of weeks ago. A few days ago, they got hit with spam and apparently myDoom and Bagle came through some emails and infected the PC's. That caused the network to stop functioning and caused the mail server to shut down it's exchange and SMTP services.

I did not know what the problem could be at first. I shutdown the workstations causing enormous amount of traffic. On the server, when I started the exchange services, they came up fine. Then I started the SMTP service and it started. But for some reason I couldn't connect to port 25 from outside. So I looked at the services again and the SMTP service was stopped. I started it again, waited 5 seconds and clicked refresh. Sure enough, the service stopped. It didn't report any errors to the event viewer or on the screen.

I renamed the mailroot folder to mailrootOLD and the service started. I scanned the mailrootOLD folder w/Avast and it said it was clean. I downloaded stinger.exe from McAfee and it found 5 worms in that folder. Once the worms were cleaned with stinger.exe, the service started with the old folder, once renamed back to mailroot.

The workstations were running Avast Professional. According to some users, Avast would notify that it found a virus, and they would try to delete it, then it notified tghem again. After a few attempts to delete it, it stopped notifying them. Whether it was notifying them of the doom or bagle worm is still unknown. But, running stinger.exe on the workstations found the worms residing on the hard drive.

I really looked like crap in front of my customer. I ended up uninstalling Avast from the servers and the workstations and purchasing eTrust. I do not know if it's a GREAT anti-virus, but after installing it, it found viruses and kept the system stable for a day now without interruptions. I am extremely dissappointed.

I ran the trial in our lab, and it seems OK, but not sure if the lab recived any infections to begin with. Avast deffenitely found some trojans.

But that is the story of Avast!. And Avast! no more!
« Last Edit: August 26, 2004, 04:55:13 PM by ctechsol »

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Avast! Server w/Exchange filtering nightmare
« Reply #1 on: August 26, 2004, 11:42:44 PM »
Hi, it's very hard to react to a post like this but I'll do my best. It's almost impossible to now deeper analyse what really happened (because you've already uninstalled the program and that includes deleting all the logs etc) and I don't even know if you're interested in doing so... I've heard from the sales people that you're wanting your monies back... :-\

The principal question here is, of course, if the virus database was up-to-date on both the workstations and the server. That is, it sounds almost unbelievable to me that avast would (even during an on-demand scan which you've done as you said) miss a Beagle or MyDoom variant. These are all being picked up without any problems, that's for sure. The only exception on the server may be some password-protected ZIP exemplars but these would've been picked up on the workstation (by avast! Pro). Of course, this assumes that avast! was really installed on all the workstations. Please also note that avast! for Exchange can be set up to block all password protected archives - making sure nothing gets past the server scan.

Quote
I really looked like crap in front of my customer. I ended up uninstalling Avast from the servers and the workstations


I understand that you're now angry. And for a reason. But isn't it maybe a bit hot-headed decision to immediately drop all licenses for avast and start with something else?

Also, it's a bit pity that you didn't share this with us as soon as you faced it. Maybe we'd have found a solution...

Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

ctechsol

  • Guest
Re:Avast! Server w/Exchange filtering nightmare
« Reply #2 on: August 27, 2004, 05:01:42 PM »
The servers and the workstations were all set to high residency protection. They perfomed AVS upgrades regularly.

I loved the software and the interface, as well as its features for which reason I gave my customers my word that this software was the best choice to move from Symantec. And perhaps it was better, it deffenitely was not best. The customer was down for 2 days in a row.

At this point, my customer was very dissappointed in our services, and my customers have never been dissappointed in our services. We have always done a great job for all of our customers and have never had a customer leave for another consultant. During this period when they were down, they have mentioned that maybe they will try getting their network "evaluated" by another consultant. I cannot take that risk. If the software we switch to is more expensive, I will have to eat the cost, so it is not something I'd like to do, but I totally understand where my customer is coming from and their frustration.

ctechsol

  • Guest
Re:Avast! Server w/Exchange filtering nightmare
« Reply #3 on: August 27, 2004, 05:07:50 PM »
Also, it's a bit pity that you didn't share this with us as soon as you faced it. Maybe we'd have found a solution...

There was no time. They were down... I have sent you emails of errors they received after the initial installation which you were researching. There just wasn't any time. I had to make a decision to bring the servers and the network up. Keep in mind, after the 1st day, we brought the servers up and the network seemed OK. The same night, everything went down and I got a very frustrating call in the morning. At that point I had to act.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11658
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:Avast! Server w/Exchange filtering nightmare
« Reply #4 on: August 27, 2004, 05:23:22 PM »
I thought avast was running for a couple of weeks there. Or are you saying it happened the very same day as you installed it???


I absolutely understand your frustration/disapointment. Especially considering this incident happened not on your own network but rather on a customer's one...


BTW what about the other customers for whom you implemented avast? Did they experience similar problems? Because I just kind of cannot believe that avast could fail so badly... Miss a Beagle or MyDoom -- that sounds really very odd...

BTW2 The emails you forwarded to me couldn't have anything to do with this particular issue... these were just warnings that the configuration changes couldn't be updated.


Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.