Mailgateway Virus Scanner Not Effective

symmcom

Well-Known Member
Oct 28, 2012
1,075
25
48
Calgary, Canada
www.symmcom.com
Unless I am doing something wrong or things need reconfiguring, I do not think the ClamAV in mailgateway working properly. I sent some EICAR test to our email server and only 1 out of 7 'virus' email got blocked. Repeated test showing the same result.
The Action is to remove all attachment which it removes nicely from only 1 email. Any tips?
 
Last edited:

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,484
315
83
Austria
www.proxmox.com
I assume they simply decompose the EICAR test file, and produce some variants with different encoding and different attachment structure.

But EICAR test is only really defined for unmodified versions (and that works). With modified EICAR files, each virus scanner behaves differently, and ith does not really tell anything ...
 

symmcom

Well-Known Member
Oct 28, 2012
1,075
25
48
Calgary, Canada
www.symmcom.com
I assume they simply decompose the EICAR test file, and produce some variants with different encoding and the different attachment structure.

But EICAR test is only really defined for unmodified versions (and that works). With modified EICAR files, each virus scanner behaves differently, and ith does not really tell anything ...
I agree with you dietmar. But when a client runs their own test to check how effective the filter is and they see emails that should have been blocked and they are not, it does cause alarm.

Also besides the EICAR test, there have been incidents where emails with attachment got through. When analyzed the attachment in a safe environment, it did turn out to be a virus. Fortunately, the user did not click on the attachment. But there is always that chance where someone will click on harmful email.
I am just trying to figure out mailgateway more and see if there is anything we can do to make it more effective. We have 5 email domains that go through the filter. Just don't want to see user panic.
 

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,484
315
83
Austria
www.proxmox.com
I agree with you dietmar. But when a client runs their own test to check how effective the filter is and they see emails that should have been blocked and they are not, it does cause alarm.
Please open a bug report at bugzilla.proxmox.com - maybe we can harden the default rules to catch more of those mails.
 

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,484
315
83
Austria
www.proxmox.com
Also, some users installs avast as second virus scanner (but avast is not open source) to get additional protection.
 

kensan

New Member
Mar 11, 2019
3
0
1
63
may be you can add some unfficial signatures for clamav extremeshok have a script that helps ( google clamav-unofficial-sigs EXtremeSHOK, can't add links ):

they tend to catch alot more in my experience, but becareful of false positives.
 

heutger

Active Member
Apr 25, 2018
644
159
43
Fulda, Hessen, Germany
www.heutger.net
may be you can add some unfficial signatures for clamav extremeshok have a script that helps ( google clamav-unofficial-sigs EXtremeSHOK, can't add links ):

they tend to catch alot more in my experience, but becareful of false positives.
Agree, you could use them, I also have in my advancing thread some additional signatures, I played around with (same script), but they result in many false positives, so I wouldn't recommend. I just decided to disable ClamAV at all and purchase an Avast license and use Avast instead, works fine.
 

rajeshm

New Member
Jan 13, 2018
10
0
1
56
heutger : could your kindly post your experience with Avast antivirus ? Thanks, rajesh.
 

heutger

Active Member
Apr 25, 2018
644
159
43
Fulda, Hessen, Germany
www.heutger.net
heutger : could your kindly post your experience with Avast antivirus ? Thanks, rajesh.
I had many false-positives with ClamAV and additional signatures, without viruses got through, with Avast I had not. I get very rare virus attachments, so I can’t proof the quality of detection, but looks fine for me.

Avast itself is a bit like the history, so I still would prefer other solutions, but most of them don’t exist any more or are EOL as they try to sell their own mail gateways, others are not daemonized and last are too expensive (per mailbox or user). We tried to partner with, but in the end it was not possible, they don’t know their own structure. However, I found a very good affordable partner and ordered through them.
 

rajeshm

New Member
Jan 13, 2018
10
0
1
56
thanks, for the detailed input. We are also facing the same problems as you. We block all forbidden attachments like exe etc, but the viruses embedded in word/excel docs pass through in a lot of cases.

1) Could you please also share the link of the avast antivirus version that you use and from whom you purchased ?

2) Also could you please share your experience with the antispam provided by proxmox mailgateway ?

thanks once again for your help.
 

heutger

Active Member
Apr 25, 2018
644
159
43
Fulda, Hessen, Germany
www.heutger.net
thanks, for the detailed input. We are also facing the same problems as you. We block all forbidden attachments like exe etc, but the viruses embedded in word/excel docs pass through in a lot of cases.

1) Could you please also share the link of the avast antivirus version that you use and from whom you purchased ?

2) Also could you please share your experience with the antispam provided by proxmox mailgateway ?

thanks once again for your help.
1. https://www.antivirusedition.com/details_produit.php?p=avast_core_security_linux&lang=DE

2. There are options for improvement, I also reported feature requests therfor. However, with some tweaks it’s possible to get it working very well, check my Advancing PMG thread on what I recommend to do (for sure, lists and additions focus on german speaking recipients, so other lists and additions like rules would work better for other countries recipients).
 

rajeshm

New Member
Jan 13, 2018
10
0
1
56
the Advancing PMG thread is great, thanks a lot.

On a side note, does avast scanning take place at the smtp level and carry out a rejection even before the malware email enters the server or does it accept the email then scan it ?

thanks, rajesh
 

heutger

Active Member
Apr 25, 2018
644
159
43
Fulda, Hessen, Germany
www.heutger.net
You're welcome.

Depends, the default setup of PMG is post-queue. I currently try around with pre-queue like described in https://forum.proxmox.com/threads/spamassassin-before-queue-statt-post-queue-gegen-backscatter.51100/, but has also some side effects, I currently be not sure, if I would like to accept them. However, it would be possible that way also to reject at transmission level. That's one of the hardest and loudest feature request to Proxmox, post-queue is a bit of outdated setup, pre-queue would be much better. Also could bring some additional great ideas like greylisting based on spam level, so sender need to try again only, if it looks like can be spam or ham, but neither sure spam (reject at all) nor ham (let get through directly also if sender does not use SPF or SPF check is disabled, which I recommend because of SPF setups are often broken), so next try luckily a spammer would already be on a RBL blacklist and can be rejected directly.
 

rajeshm

New Member
Jan 13, 2018
10
0
1
56
yes, what you say is true. Either reject at smtp level or deliver the message to the recipient is the best option. Also once you start accepting messages that are spam then i found that spam messages keep increasing.

on a side note does the spamassassin in proxmox have image checking like fuzzy ocr ?

rajesh
 

heutger

Active Member
Apr 25, 2018
644
159
43
Fulda, Hessen, Germany
www.heutger.net
yes, what you say is true. Either reject at smtp level or deliver the message to the recipient is the best option. Also once you start accepting messages that are spam then i found that spam messages keep increasing.
Agree, I currently run separate test of rejecting spam not via milter but via smtpd proxy and be very careful on testing. Meanwhile doing that now for some few weeks mail volume increased now up to 4 times than before.

on a side note does the spamassassin in proxmox have image checking like fuzzy ocr ?

rajesh
I believe I remember looking through the version pre files I saw such an option been available but not enabled by default with PMG setup of spamassassin, however, feel free to enable by yourself. However, I'm a bit careful on such fuzzy techniques, rspamd is using it very much and doesn't provide me with the results, I expected to see.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!