Recently, I noticed that there has been a surge in ICMP packets between some of my Active Directory controllers and Exchange servers. Virus scanning proved that the servers were clean. Is there any explanation for this phenomenon?
- Alex Ang

A high level of ICMP packets between your Active Directory controllers and Exchange server is not a normal situation from the networks that I have looked at. You have checked for viruses and that is a good first step. But there are several others that I would suggest.

The first is to make sure you have all your Windows updates applied. Unfortunately, you will have to take an additional step for services such as Exchange to make sure you have the appropriate product service packs applied. Check with your network card vendors to ensure you have the latest drivers installed. Depending on the card(s) you have, there may even be BIOS updates that may need to be applied for the network cards. This also applies for the motherboard in your servers.

Check your server change logs (you are keeping a set of change logs, right?) for any changes that occurred around the time you noticed the change in ICMP traffic on your network. Verify that the network card settings in terms of subnet mask, default gateway, DNS servers, etc, are set the way they should be. Look through the list of services running on each server to see if there are any additional services running that weren't there before.

Look at running several different spyware-detection packages such as AdAware, Spybot, and A-Squared (just to mention a few) to see if any spyware has managed to get onto your servers. I would encourage the use of multiple different spyware/adware-detection programs as one package will not catch everything. I would not be satisfied that everything is clear unless all packages report that nothing is found. As with your anti-virus package, make sure that the signatures for the spyware/adware detection packages are up to date, or something could easily be missed.