Tuesday, November 15, 2011

Restore Folders that have been Hidden by a Virus

A common move for a virus is to change all the folders on a drive to Hidden System Folders. This gets very confusing when you see the drive is 80% used, but only has a few files on it…

As soon as you realise something funny like this has happened, run an Anti-Virus Scan on the drive (whoever borrowed your drive doesn’t have adequate AV protection). Once you have got a clean result you need to get your folders back.

To View the hidden folders:
dir /ah

To remove the Hidden and System attributes from folders:
attrib *. -h -s /s /d

Step by Step:

  1. Open a command prompt (Start -> CMD)
  2. Type in: cd\ (This will take you to the root of the drive)
  3. Type in the affected drive letter, eg: E:
  4. To view the hidden folders, type in: dir /ah
  5. To make them all visible again, type in: attrib *. -h -s /s /d


MailMarshal – Still receiving mail from a Blacklisted Domain/Email Address

If you have Blacklisted a domain or single address but still receive mails from someone at that domain, I have two possible solutions for you.

Take a look at this hypothetical example:

  1. A user receives an email from a company with an ‘aggressive’ marketing campaign (spam)

  2. The user replies using as many expletives as possible

  3. The spammers now know they are getting through your anti-spam protection, so email the user more than ever.

  4. The user now asks IT to block the spammer.

  5. IT blocks the spammer’s email address.

  6. Spam still gets through.

  7. IT blocks the spammer’s whole domain.

  8. Spam still gets through.

Option 1:

When the user replies to the spammer (Step 2), Mail Marshal adds the spammers address to its Auto-Harvested Whitelist. Even when IT adds the email address to the Blacklist, the whitelist takes precedence.

To resolve, simply delete the entry from the Auto-Harvested Whitelist.

Option 2:

If the Spamee has never responded to the Spammer (ie, start at Step 4 in above example), then they could be using an email marketing company to send their spam out for them, in which case the Email address might be different to the address/domain that you have blacklisted.

By default MailMarshal has a Connection Rule to check against the Global Blacklist to block mails coming into the organization. The only problem with that is a Connection Rule can only see the address, so in the case of our example the mail will still get through.

To deal with this you will need to create a new Standard Rule to be able to check the originator address header field (Sender address). This Rule will then catch any mails that make it past the default Connection Rule.


Happy Blocking!