Spam vs Virus checks order

P

Pavel Hruška

Member
May 1, 2018
75
8
8
45
Hi there, I've noticed some emails with infected attachments stuck in the spam quarantine but with no virus alert being triggered although it seems that the virus is detected by Avast (when I test it as outgoing mail it gets triggered properly).

Just wondering if there is any order in spam checks and AV checks and what has the precedence. On my setup I have Virus check rule with priority 93 and Quarantine rule with priority 63 so I would expect to get virus rule triggered first.
 
Mails get scanned by the antivirus first (since a heuristic match is used as 'spam score' later on) - if avast is installed by avast, else by clamav.
afterwards they get passed to the rule-system - if any rule has a spam-object then they get scanned by spamassassin.

do the logs provide some information on what triggered ? avast should log infections - and the pmg-smtp-filter also logs if a virus is found.

I hope this helps!
 
Just want to add followup to the topic.

Problem is not with PMG, but with Avast where I've noticed slight delay when new variants of viruses are detected.

In this case the mail was not detected by AV but was quarantined by spam filters when it was received for the first time. But it was sucessfully detected by AV one or two days later when I tested it again by sending the same attachment out.

Our users have received more than few Word attachments with dropper viruses that were not detected by Avast nor ClamAV and according to my testings using virustotal.com there was like two or three day delay until these files started to be detected by AVs such as Avast, AVG or Eset. So it is quite hard to fight such attacks.
 
Pavel Hruška said:
Problem is not with PMG, but with Avast where I've noticed slight delay when new variants of viruses are detected.
Click to expand...
That's unfortunately quite common - the AV providers also need time to find new viruses and update their definition files ...

One quite effective measure is to simply put all word/office files into quarantine - that way they can be scanned by the admin before sending them to the users.
 
Stoiko Ivanov said:
One quite effective measure is to simply put all word/office files into quarantine - that way they can be scanned by the admin before sending them to the users.
Click to expand...

Sure, but not acceptable in my environment, at least not now. I've just disabled office macro/vba execution where it is not required and where it is required useres have been trained.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back