OK to run Ad-Aware on Domino Server?

hcl-bot · April 28, 2008, 4:49pm

I know it’s not advisable to run an anti-virus product on a Domino server and I understand why. What about Ad-Aware?

We have spam being generated somewhere in our network and sent by our mail server. From the firewall traffic, it is looking like some of it is coming from a few servers in our network as well as individual pcs. We run Ad-Aware as needed on end-user pcs when we find one generating excess traffic but have not installed it on our servers.

We are currently looking at options for better network security (anti-virus, anti-spam, anti-malware, etc.) but until that decision can be made, we need something immediately to clean up the servers.

And yes, this is an inherited situation…please don’t publicly flog me because I know what’s happening is bad. All I want to do is stop it.

Thanks so much…Cindy.

hcl-bot · April 28, 2008, 11:43pm

Subject: OK to run Ad-Aware on Domino Server?

While it’s very unlikely that mail would be sent through some “rogue” process on your notes server it is certainly not impossible.

Loading something like Adaware isn’t likely to find the problem unless it’s something very obvious.

I’d suggest that you consider some downtime on that server and remove it from the network. (Disconnect the network cable but leave the server running).

Watch Mail.box to see if any NEW spam messages hit it.

There’s a few other things you could do to test the systems, like reconnect and leave the router running but stop the SMTP task. You should still be able to send internal mail but should not receive any spam.

Finally, consider shutting down the Notes server and running a full anti-virus scan across the server.

Malware usually won’t make it onto a device without a process to load it - either an unpatched exploit.

SO.

You have a hardware firewall right? Is it configured to block all but Notes, SMTP, HTTP and HTTPS to that server - unless you need other services?
Do you have a software firewall on the server - even the Windows one will do - which is monitoring which applications can send and receive from the internet and local network?
It’s a given that nobody EVER surfs the net on the server - right??
No files are transferred to the server except from scanned media - right?

The other thing to try - just to isolate whether the spam is coming from inside or outside - is to disconnect the internet at your workplace temporarily and watch mail.box - I know this is a little drastic but it will give you your answer.

If the spam is coming from outside, consider directing your SMTP through an external managed filtering service first.

hcl-bot · April 28, 2008, 5:00pm

Subject: RE: OK to run Ad-Aware on Domino Server?

If you have some unauthorized process running ON your Domino servers, I suggest you take the affected servers offline immediately and run Ad-aware, antivirus, whatever it takes to root them suckers out. I’m not an administration expert, but I’m assuming these servers contain lots of information you don’t intend to make public?

hcl-bot · April 29, 2008, 9:22am

Subject: OK to run Ad-Aware on Domino Server?

HiI suggest you check out the following:

Check the server tasks line to see if SMTP is listed

On the Notes server console do a ‘Show Tasks’ to see if SMTP is running.

If you do not need SMTP running on your servers shut the SMTP task and Disable the SMTP listener. Typically you will set up one SMTP mail relay which then sends the messages out to the internet.

For servers running the SMTP Task Open the Configuration document - Click the Router/SMTP Tab - Then Check the Restrictions and Controls Tab to see if any restrictions/controls are in place. Best Practices mandate that you should have these settings locked down. Check out Technote 1092370

or this article IBM Developer for detailed explanation on the above.

You may also want to check Auto-Reply Agents including Out-of-Office Agent that run on your server as these may be exploited by spammers.

If you have Web sites in your environment you may want to check with the Developers for any Mail To/Contact Us features that are being exploited.

You can also ty and Trap the outbound smtp messages.

Open the server’s notes.ini and add the following parameter within the file: SmtpSaveOutboundToFile=1

Note: Recycle the Domino server for the change in the NOTES.INI to take effect.

Then examine the properties of the messages to see their origin.

Note: As a Best Practice before making any changes in your environment document the change so that it is easy to roll back.

Thanks.

Robert Mendonca

hcl-bot · April 28, 2008, 5:33pm

Subject: OK to run Ad-Aware on Domino Server?

I can’t say I’ve tried it, but as noted in the previous post, do everything necessary to clean-up. I could see where the real-time scanner in AD-Aware could be an issue, but I would think the on-demand scan should be fine. It might not hurt to drop your Domino server before scanning.

We’ve always run anti-virus on our Windows-based Domino servers. You just typically need to make some exceptions to prevent the scanning of Domino program and data files. IMHO, every Windows box needs to run some kind of AV…even with firewalls and other controls in place. This is especially true if you inherited Windows servers that are doing more than just Domino. Other services (e.g. file shares) are a potential vector for infection.

As for the long term, a layered defense is the way to go. There are items that occasionally slide by our Anti-Spam/AV appliance at the edge of the network which are nabbed by the Domino-specific AV. Use the built-in Windows 2003 firewall to limit incoming ports - this can help protect against attacks originating from inside your network (e.g. from a compromised PC).