Endpoint Protection

Alright, here is the thing, I DO NOT have an Exchange server.  The company I work for has no interest in setting one up either.  That being said, here is the situation.

My mail server has SEP installed on it as a client as well as every Windows workstation that could potentially have access to mail or the internet. 

Between my ISP and my mail server I have a dedicated Anti-Spam firewall with integrated AV- actually 2 AVs (different products).  Works great. 

The other day, my SPAM firewall, not to be confused with the perimeter firewall, had an issue with the HDD (5 minute fix), while doing the FSCK on the drive, the power supply blew out.  An older machine, P4, 2 gigs ram, etc.  No replacement parts.  So I need to rebuild a new one.  No longer a 5 minute fix.  The bosses upset at this point, "we have AV, open the pipe directly".  Well, in the 2 hours that the mail server was now accepting blindly every e.mail coming to it, Virus, SPAM, and redistributing it to all the mailboxes in the place.  Now, we keep all messages on our server, and all connections are IMAP.  In those 2 hours, I have over 2,400 Viruses that have infected the individual mailboxes.  Really harmless bugs to tell the truth.  Amongst them are:
- W32.Toal.A@mm
- Packed.Generic.233
- Packed.Generic.243
- Antivirus2008
and a few more.

********
Now the issue I have is every single mailbox is/was infected with these same bugs.  But every single mailbox "cleaned" or "quarantined" is different.  For example:
Mailbox A has - W32.Toal.A@mm (4 times)  and each instance of this file is quarantined and each quarantined file is 13,681 KB (That's right 13 Megs)
Mailbox B has the same - W32.Toal.A@mm (4 itmes) and each instance of the file is quarantined.  However eah quarantine file is 870,619 KB (Roughly 850 Megs) for a total of 3.4 Gigs... 

Now, if I let this whole thing go, without monitoring and cleaning the quarantine folder, which potentially contains abot 1,700 files of varying size, from 4 MEGS to 850 Megs...  My quarantine folder is filling up Terrabytes of Space, completely choking the mail server... 

Why is the size difference in the quarantine folder so huge??
Furthermore, the attachment, be it in ZIP format is less than 1 MEG.  Unzipped 2 Megs and quarantined up to 850!!!  

What email client is the typical user using?  Sounds like the whole email folder (Thunderbird, Netscape, OE, etc.) or the whole PST (Outlook) is getting quarantined, not just the message.  It may be kept on the server, but just about every email client I know of will cache it somewhere locally.  You're probably using encrypted connections to the email server, since SEP can't stop it on its way in.  A little bit more information and we can probably help.  It could be that the email program is re-downloading the messages over and over and they get quarantined each and every time creating this little bug.

Also, are users losing their email because its getting quarantined?

I had a similar issue on one system and posted a blog entry about it.  https://www-secure.symantec.com/connect/blogs/symantec-endpoint-protection-quarantine-expansion

Mail server is IMAIL going to be replaced shortly by something more up to date.
The clients themselves are not "infected".  The .MBX files had infections within them. 
The clients did not lose their mail and are still capable of retrieveing all the messages from the server, minus the ones that were infected. 
The infections have been removed from the server side and the clients are coming back clean.

As far as client, they are using Thunderbird to retrieve their messages. 

We use Thunderbird here a lot too.  Thunderbird's default actions are quite unhelpful if you get a virus in your email. As Thunderbird downloads messages, it puts them in a temp file.  This temp file gets scanned by SEP.  If it is infected, SEP will quarantine the temp file.  Thunderbird, notcing its download is missing, decides to download it again.  It will repeat this process many times before it eventually gives up.  These temp files usually are every message in the inbox that the user has viewed, but can be the individual message, depeding on Thunderbird versions or settings.  Everytime the user goes back to their inbox (if it would be the first message) or goes to the infected message, its going to happen again.  The only way for the user to avoid this is to turn of the preview pane so they can delete the infected message from the server without "viewing" it.

There's not much here I can offer for assistance that's going to do you a lot of good.  Until your server-side email A/V gets going again, you might want to make exclusions in SEP on the Thunderbird profile folder.  Viral attachments that are opened or copied by unwitting users will be downloaded to the user's temp folder, desktop, My Docs, etc, where SEP will stop them.  The problem with this is once you disable the exclusion, you're going to find all this stuff again, but you'll only have to deal with it once...instead of over and over.

Also, as far as I know, every A/V scanner that parses mbox files has this problem with Thunderbird.  Those that don't will not convert the attachments to binary code, so they will not find the infected temp files.

The mail server was cleaned and the messages were "forcefully" removed from their inboxes.  
Being in IMAP only the headers are on the local machine. 
I ran a script that was: 
taskkill /S [machine name] /IM thunder*

That kills the thunderbird client on every machine in the network when deployed.  Once noone is connected to the server, clean the server.  Then allow everyone to launch again.  Only the "virus infected" inboxes lost some mail, but everything else is healthy. 

I am just curious as to why the file would grow as big as 850 Megs for a single quarantine.  And for the same "infected message" in a different inbox 5 Megs.  Quite a difference.

All in all, pretty much irrelevant now, as the systems are clean, or at least according to SEP they are.  And the mail server is happy again. 

I've seen quarantines grow that large quite regularly, and the best I can trace it to is applications getting into "fights" with SEP.  One does something SEP doesn't like, SEP stops it, so it does it again, and again.  Also, Thunderbird will cache the whole message on the harddrive, not just the headers. It is supposed to clear those files out on exit, but they certainly get written to disk where SEP can see them.