Proxmox is not blocking any emails with viruses.

C

corianito

Well-Known Member
Jul 20, 2019
46
0
46
38
Forgive the translation, I use a translator.

I just installed the gateway a few days ago, but it's letting all the virus emails pass. They are .doc files. I think the virus is called:

Doc.Downloader.Emotet. I've seen it in a single email that did stop:

https://i.gyazo.com/6a4a12150ce400c10994c58f2842086e.png
6a4a12150ce400c10994c58f2842086e.png


Is there anything else I need to configure for the gateway to block viruses? I'm totally new to this tool.

Greetings!
 
I just saw Avast, it's too expensive an option.

I'm still a bit new to the system. Is it enough to block .doc with this rule that I've added or is it somewhere else?

89ba6410cea170aea8d379ee7ddffe40.png


Greetings!
 
The link shows that they support Debian 6.0. We are already on Debian 10.

So I doubt that is is good option.

If cannot afford AVAST, just go with ClamAV and do strict blocking via the rule system. And also use good virus scanner on your Desktop OS and optionally on your mail server.
 
corianito said:
Forgive the translation, I use a translator.

I just installed the gateway a few days ago, but it's letting all the virus emails pass. They are .doc files. I think the virus is called:

Doc.Downloader.Emotet. I've seen it in a single email that did stop:

https://i.gyazo.com/6a4a12150ce400c10994c58f2842086e.png
6a4a12150ce400c10994c58f2842086e.png


Is there anything else I need to configure for the gateway to block viruses? I'm totally new to this tool.

Greetings!
Click to expand...

ClamAV is an open source project so the detection rate may not work as fast or best compare to others paid AV services.
I am using clamav too but there are way to make it work or improve the detection rate. Below are my advise.

1. Quarantine all macros enabled doc or dangerous attachment. Use content type filter or match filename in what object.
2. Quarantine all email from unknown or unsafe senders. Use regex or domain filter in who object.
3. Inspect the attachment with online scanner https://virusscan.jotti.org/.
4. If the attachment is consider dangerous and ClamAV did not detect it, make a report to ClamAV https://www.clamav.net/reports/malware.

In time the ClamAV detection rate will improve due to your report afford. Enable DNSBL (must), Reject Unknown Clients, Reject unknown senders and SMTP Help checks (optional) help to reject/defer suspicious mails thus reduce your spam/virus mails.
Btw, educate users not to open suspicious emails with attachement will help too.
 
I have made different configurations, the .docs are blocked by the filter. But I still think that something is not right. Clamav doesn't detect any file as a virus, all .docs end up in the quarantine of anti-spam filter attachments.

I have already reported a .doc file to clamav several times.

Attach one here.

Do I have to configure anything else in PMG? You only detected one file once and were the first to install the system, you didn't detect any more.
 
Try scan the docs files via https://virusscan.jotti.org/, it use clamav as one of it AV engine. If it cannot detect mean ClamAV have not recognize it as virus/malware. That why I recommend you to submit a report to ClamAV.
Yes, it is not perfect but since ClamAV is open-source and free, it is one of the trade off of using it.

Btw, you can add custom ClamAV custom virus definition/signature from 3rd party vender. Add below to your /etc/pmg/templates/freshclam.conf.in. It may help. There are other ClamAV custom signature out there, double check their term of usage and it may help to improve virus detection rate.

DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb
DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp
Click to expand...

https://forum.netgate.com/topic/102819/alternate-definitions-for-clamav/9
https://www.mailborder.com/ops/sigs/
 
I have just discovered on that website, that some files, clamav has detected it as a virus, but the vast majority have not, I have been reporting.

The case is as follows. How is it possible that neither the one who has detected clamav as a virus on that website, PMG is not detecting it as a virus?

Btw, you can add custom ClamAV custom virus definition/signature from 3rd party vender. Add below to your /etc/pmg/templates/freshclam.conf.in.
Click to expand...

I've been looking at the server and I don't have such a route, I get here:

95835fa118cccda2c30408d37eda8a52.png


Do I have to create it next to the file?
 
I already found the file inside the /etc/clamav folder.

Now updating Clamav shows this:

Is that correct?

ClamAV update process started at Thu Dec 5 12:01:48 2019
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.101.4 Recommended version: 0.102.1
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
malware.expert.ndb is up to date (version: custom database)
malware.expert.hdb is up to date (version: custom database)
malware.expert.ldb is up to date (version: custom database)
malware.expert.fp is up to date (version: custom database)
main.cvd is up to date (version: 59, sigs: 4564902, f-level: 60, builder: sigmgr)
daily.cvd is up to date (version: 25654, sigs: 2029534, f-level: 63, builder: raynman)
safebrowsing.cvd is up to date (version: 49191, sigs: 2213119, f-level: 63, builder: google)
bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
TASK OK
Click to expand...
 
corianito said:
I have just discovered on that website, that some files, clamav has detected it as a virus, but the vast majority have not, I have been reporting.

The case is as follows. How is it possible that neither the one who has detected clamav as a virus on that website, PMG is not detecting it as a virus?



I've been looking at the server and I don't have such a route, I get here:

95835fa118cccda2c30408d37eda8a52.png


Do I have to create it next to the file?
Click to expand...

PMG use ClamAV as default virus scanner. If ClamAV not detect the virus, you either report the case to ClamAV or use a commercial AV that have better detection rate.

Pls read PMG custom configuration https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine
 
corianito said:
I already found the file inside the /etc/clamav folder.

Now updating Clamav shows this:

Is that correct?
Click to expand...

Yes, make sure you add the DatabaseCustomURL to /etc/pmg/templates/freshclam.conf.in or else the setting will not be permenant after reboot.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back