Thursday, January 15, 2009

Poison Queue in Exchange 2007

There were thousands of messages appearing in the Exchange 2007 Poison Queue. Most appeared to Public Folder replication messages.

Looking at the event logs reveals the following event in the application log:

Event Type: Warning
Event Source: Symantec Mail Security for Microsoft Exchange
Event Category: Threat/Security Risk
Event ID: 215
Date: 9/11/2008
Time: 5:04:08 PM
User: N/A
The message "Folder Content Backfill Response" located in SMTP has violated the following policy settings:
Scan: Auto-Protect
Rule: Unrepairable Virus Rule
The following actions were taken on it:
The message "Folder Content Backfill Response" was marked for Deletion for the following reason(s):
Unrepairable virus W32.Niuniu!inf was found in MCID 12314 (RISK 1) NEW SMTPA W32..

Symantec's site has the following article regarding the virus

It was confirmed with Symantec that they are altering the messages and this is what is causing them to be placed in the Poison Queue in Exchange 2007 so an adjustment was made to ignore these types of messages withing the Symantec configuration.

No comments: