GroupShield problem flares up on Exchange

A flaw in Network Associates' GroupShield antivirus product is causing problems for some users of Microsoft's Exchange 2000 e-mail server, including server crashes, according to Vincent Gullotto, a vice president at AVERT, Network Associates' antivirus research group.

Free IT resource Open Source Business Conference (OSBC) May 22-23, 2007 Sponsored by OSBC Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell

The problem affects organizations running the Exchange 2000 product with GroupShield version 5.2.

A flaw in the GroupShield product causes the Exchange information store to fail when e-mail messages are received with certain formatting characteristics in the e-mail "From" line, Gullotto said.

The problem causes the Exchange server to stop responding, resulting in a loss of e-mail service to Exchange users, according to those who encountered the problem.

"To the users it looks like a network problem. You can't get your mail," said Scott Martin, a system administrator at software company Modular Mining Systems, in Tucson, Ariz.

Modular Mining Systems first encountered the problem on March 25, after using the GroupShield with Exchange 2000 for six months without incident, Martin said.

Network Associates said it discovered the problem after a report from a North American customer in January.

The company issued a patch in January named "Hotfix 2," to repair the problem and updated its knowledge base with information about the problem at the time.

Customers who subscribe to a premium service that delivers product update information via e-mail received word of the problem at that time. Customers that do not subscribe to that list did not receive information about the Hotfix 2, but did have access to information on the problem from Network Associates' knowledge base, Gullotto said.

Network Associates could not say how many of its GroupShield customers have downloaded and installed the patch since January or how many are still vulnerable.

A handful of GroupShield customers reported problems, including Exchange Server crashes, resulting from the flaw since January, with a couple more incidents in recent weeks, he said.

Unable to resolve their Exchange Server problems, Modular Mining Systems temporarily disabled GroupShield in order to be able to run Exchange, Martin said.

"We were running without antivirus for probably a day," he said.

After online research pointed to a problem with the GroupShield product, the company contacted Network Associates on March 27. Support technicians there appeared to be familiar with the problem and sent the company the patch, Martin said.

Modular Mining Systems did not receive any information from Network Associates about the problem or the existence of Hotfix 2 prior to that, he said.

Network Associates is not sure why the problem is suddenly flaring up on unpatched systems in recent weeks, according to Gullotto.

One possibility is that spam e-mail is circulating that contains the formatting characteristics that trigger the GroupShield flaw, he said.

Despite the small number of occurrences, the Santa Clara, California is strongly urging GroupShield customers to apply Hotfix 2 to affected systems.