ClamAV fine tuning & another AV recomendation

Oct 26, 2019
47
1
8
39
Dear Friends,

I had recently found that the CLAMAV shipped with Promox isnot properly catching virus inside documents (Especially word documents)

Is there any fine tuning we can do @ CLAM AV ?

And also is there any alternative to that ? If yes whats it and how we could install it?


Regards,
Liju
 
I also have problems with the doc files.

Doc files infected with EMOTET (Feodo) are not detected by clamav, I had to create a filter to move all doc files to quarantine. It is a clumsy but effective solution...
 
I highly recommend to totally remove doc files (and similar) from emails to end user (via rule system).

Proxmox Mail Gateway 6.1 will introduce a new attachment quarantine, allowing admins to analyse such attachments without delivering it to the end user.

And take a look on AVAST as an additional scanner. But this will not solve all problems, there are always new viruses which are unknown in the signatures.
 
I also have problems with the doc files.

Doc files infected with EMOTET (Feodo) are not detected by clamav, I had to create a filter to move all doc files to quarantine. It is a clumsy but effective solution...

I saw clamav able to detect emotet virus. But i also quarantee all email from @xxx.mx to be safe...

Proxmox Notification:

Sender: hchavez@vic.com.mx
Receiver: abc@xxx.com
Targets: abc@xxx.com

Subject: Invoice status update 932 from 2019-11-20


Matching Rule: Block Viruses

Rule: Block Viruses
Receiver: abc@xxx.com
Action: Move to quarantine.
Action: notify __ADMIN__


Virus Info: Doc.Dropper.Emotet-7401142-0 (clamav)
 
I highly recommend to totally remove doc files (and similar) from emails to end user (via rule system).

Proxmox Mail Gateway 6.1 will introduce a new attachment quarantine, allowing admins to analyse such attachments without delivering it to the end user.

And take a look on AVAST as an additional scanner. But this will not solve all problems, there are always new viruses which are unknown in the signatures.

@tom No offense but this is just unacceptable and not scalable in any way and a waste of man power and a GDPR nightmare at best.

We cannot just "check" emails that might contain highly sensitive information for the clients we are filtering mail for and .doc files and similar Microsoft files are the most common attachments you will see on most mail filters. Should we also remove all .zip and .pdf files as well? Why not remove them all then? It just does not make sense in any way to remove some of the most common attachments types that are constantly shared by email users.

There has to be a way to improve the virus detection on the attachments. And please do not suggest avast as it's just terrible.
 
Should we also remove all .zip and .pdf files as well?
If you your end users works with windows desktop, this could be good practice, yes. Fully depends on your business needs.

You can configure your Mail Gateway like you need it, flexible.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!