Mailgateway Virus Scanner Not Effective

Discussion in 'Mail Gateway: Installation and configuration' started by symmcom, Feb 27, 2019.

  1. symmcom

    symmcom Active Member

    Joined:
    Oct 28, 2012
    Messages:
    1,062
    Likes Received:
    16
    Unless I am doing something wrong or things need reconfiguring, I do not think the ClamAV in mailgateway working properly. I sent some EICAR test to our email server and only 1 out of 7 'virus' email got blocked. Repeated test showing the same result.
    The Action is to remove all attachment which it removes nicely from only 1 email. Any tips?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 symmcom, Feb 27, 2019
    Last edited: Feb 28, 2019
  2. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,444
    Likes Received:
    304
    Can I get such mail from somewhere (for testing)?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. symmcom

    symmcom Active Member

    Joined:
    Oct 28, 2012
    Messages:
    1,062
    Likes Received:
    16
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,444
    Likes Received:
    304
    I assume they simply decompose the EICAR test file, and produce some variants with different encoding and different attachment structure.

    But EICAR test is only really defined for unmodified versions (and that works). With modified EICAR files, each virus scanner behaves differently, and ith does not really tell anything ...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. symmcom

    symmcom Active Member

    Joined:
    Oct 28, 2012
    Messages:
    1,062
    Likes Received:
    16
    I agree with you dietmar. But when a client runs their own test to check how effective the filter is and they see emails that should have been blocked and they are not, it does cause alarm.

    Also besides the EICAR test, there have been incidents where emails with attachment got through. When analyzed the attachment in a safe environment, it did turn out to be a virus. Fortunately, the user did not click on the attachment. But there is always that chance where someone will click on harmful email.
    I am just trying to figure out mailgateway more and see if there is anything we can do to make it more effective. We have 5 email domains that go through the filter. Just don't want to see user panic.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,444
    Likes Received:
    304
    Please open a bug report at bugzilla.proxmox.com - maybe we can harden the default rules to catch more of those mails.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. symmcom

    symmcom Active Member

    Joined:
    Oct 28, 2012
    Messages:
    1,062
    Likes Received:
    16
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,444
    Likes Received:
    304
    Also, some users installs avast as second virus scanner (but avast is not open source) to get additional protection.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. kensan

    kensan New Member

    Joined:
    Mar 11, 2019
    Messages:
    3
    Likes Received:
    0
    may be you can add some unfficial signatures for clamav extremeshok have a script that helps ( google clamav-unofficial-sigs EXtremeSHOK, can't add links ):

    they tend to catch alot more in my experience, but becareful of false positives.
     
  10. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    563
    Likes Received:
    138
    Agree, you could use them, I also have in my advancing thread some additional signatures, I played around with (same script), but they result in many false positives, so I wouldn't recommend. I just decided to disable ClamAV at all and purchase an Avast license and use Avast instead, works fine.
     
  11. rajeshm

    rajeshm New Member

    Joined:
    Jan 13, 2018
    Messages:
    10
    Likes Received:
    0
    heutger : could your kindly post your experience with Avast antivirus ? Thanks, rajesh.
     
  12. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    563
    Likes Received:
    138
    I had many false-positives with ClamAV and additional signatures, without viruses got through, with Avast I had not. I get very rare virus attachments, so I can’t proof the quality of detection, but looks fine for me.

    Avast itself is a bit like the history, so I still would prefer other solutions, but most of them don’t exist any more or are EOL as they try to sell their own mail gateways, others are not daemonized and last are too expensive (per mailbox or user). We tried to partner with, but in the end it was not possible, they don’t know their own structure. However, I found a very good affordable partner and ordered through them.
     
  13. rajeshm

    rajeshm New Member

    Joined:
    Jan 13, 2018
    Messages:
    10
    Likes Received:
    0
    thanks, for the detailed input. We are also facing the same problems as you. We block all forbidden attachments like exe etc, but the viruses embedded in word/excel docs pass through in a lot of cases.

    1) Could you please also share the link of the avast antivirus version that you use and from whom you purchased ?

    2) Also could you please share your experience with the antispam provided by proxmox mailgateway ?

    thanks once again for your help.
     
  14. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    563
    Likes Received:
    138
    1. https://www.antivirusedition.com/details_produit.php?p=avast_core_security_linux&lang=DE

    2. There are options for improvement, I also reported feature requests therfor. However, with some tweaks it’s possible to get it working very well, check my Advancing PMG thread on what I recommend to do (for sure, lists and additions focus on german speaking recipients, so other lists and additions like rules would work better for other countries recipients).
     
  15. rajeshm

    rajeshm New Member

    Joined:
    Jan 13, 2018
    Messages:
    10
    Likes Received:
    0
    the Advancing PMG thread is great, thanks a lot.

    On a side note, does avast scanning take place at the smtp level and carry out a rejection even before the malware email enters the server or does it accept the email then scan it ?

    thanks, rajesh
     
  16. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    563
    Likes Received:
    138
    You're welcome.

    Depends, the default setup of PMG is post-queue. I currently try around with pre-queue like described in https://forum.proxmox.com/threads/s...eue-statt-post-queue-gegen-backscatter.51100/, but has also some side effects, I currently be not sure, if I would like to accept them. However, it would be possible that way also to reject at transmission level. That's one of the hardest and loudest feature request to Proxmox, post-queue is a bit of outdated setup, pre-queue would be much better. Also could bring some additional great ideas like greylisting based on spam level, so sender need to try again only, if it looks like can be spam or ham, but neither sure spam (reject at all) nor ham (let get through directly also if sender does not use SPF or SPF check is disabled, which I recommend because of SPF setups are often broken), so next try luckily a spammer would already be on a RBL blacklist and can be rejected directly.
     
  17. rajeshm

    rajeshm New Member

    Joined:
    Jan 13, 2018
    Messages:
    10
    Likes Received:
    0
    yes, what you say is true. Either reject at smtp level or deliver the message to the recipient is the best option. Also once you start accepting messages that are spam then i found that spam messages keep increasing.

    on a side note does the spamassassin in proxmox have image checking like fuzzy ocr ?

    rajesh
     
  18. heutger

    heutger Active Member

    Joined:
    Apr 25, 2018
    Messages:
    563
    Likes Received:
    138
    Agree, I currently run separate test of rejecting spam not via milter but via smtpd proxy and be very careful on testing. Meanwhile doing that now for some few weeks mail volume increased now up to 4 times than before.

    I believe I remember looking through the version pre files I saw such an option been available but not enabled by default with PMG setup of spamassassin, however, feel free to enable by yourself. However, I'm a bit careful on such fuzzy techniques, rspamd is using it very much and doesn't provide me with the results, I expected to see.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice