Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Malware and trojan
  •  
benodilo

Messages: 76
Karma: 0
Send a private message to this user
Hello,

The antivirus integrated with KMS works fine with virus.

But since some times the infected mails contained trojan and malwares.

So McAcfee embeded with KMS is out of. No ?

Best regards.
  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
McAfee should clear everything as long as it is an infected attachment (virus/trojan/malware/worm). But nowadays, the most threats arrive in form of internet links and KMS McAfee does not protect against that.

But SURBL should help against bad links (part of the built-in Spam Assassin).

[Updated on: Tue, 29 September 2009 14:53]


Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
benodilo

Messages: 76
Karma: 0
Send a private message to this user
Yes I Know. But my users don't speak english and don't open english mail. So I think the malware is join with the mail.

Are you sure the McAffee engine used by KMS know malware/Trojan ?

We have change the anti-virus on the desk on McAffee 7 to Norton entreprise 11 and wahou !!! Almost all PC were infected...
  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
The problem is that McAfee are not the quickest in updating their signatures. Also see this link here:

http://home.mcafee.com/VirusInfo/Default.aspx

You can see that it catches viruses and trojans.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
benodilo

Messages: 76
Karma: 0
Send a private message to this user
  •  
kkesler

Messages: 33
Karma: 0
Send a private message to this user
We are seeing tons of zip attachments with TR/Crypt.ZPACK.Gen Trojan infections coming through the Kerio server intact. The desktop antivirus is catching them.
  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
What AV solution are you using? The built-in McAfee AV?

If so, is it uptodate? If so, does it work for other viruses? (Check statistics)

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
kkesler

Messages: 33
Karma: 0
Send a private message to this user
freakinvibe wrote on Wed, 04 November 2009 02:38
What AV solution are you using? The built-in McAfee AV?

If so, is it uptodate? If so, does it work for other viruses? (Check statistics)


Yes, built-in McAfee. It is up to date, and yes, it is finding other viruses.
  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
Is your Desktop Virus Scanner Avira? The TR/Crypt.ZPACK.Gen seems to be a heuristic detection, see:

http://www.avira.com/en/threats/section/fulldetails/id_vir/4 487/tr_crypt.zpack.gen.html

"A generic detection routine designed to detect common family characteristics shared in several variants.

This special detection routine was developed in order to detect unknown variants and will be enhanced continuously."

So this is not a signature based detection. McAfee will probably never find it. Have you checked the contents of the zip file? Is it probably a false positive?

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
kkesler

Messages: 33
Karma: 0
Send a private message to this user
Yes, Avira. That description is an umbrella for a family of trojans.

We are getting dozens of zip files coming in from fictional addresses with "See my pics", "here is your password", etc. for a message and a zip file attachment, so I don't think they are false positives.

No, I haven't opened one. Be glad to forward one to you if you like. Very Happy


freakinvibe wrote on Wed, 04 November 2009 08:38
Is your Desktop Virus Scanner Avira? The TR/Crypt.ZPACK.Gen seems to be a heuristic detection, see:

http://www.avira.com/en/threats/section/fulldetails/id_vir/4 487/tr_crypt.zpack.gen.html

"A generic detection routine designed to detect common family characteristics shared in several variants.

This special detection routine was developed in order to detect unknown variants and will be enhanced continuously."

So this is not a signature based detection. McAfee will probably never find it. Have you checked the contents of the zip file? Is it probably a false positive?



  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
Don't send it to me but send it to

http://www.virustotal.com

which will test your virus with 41 AV solutions. Example for the Eicar test virus:

a-squared 	4.5.0.41 	2009.11.05 	EICAR-ANTIVIRUS-TESTFILE!IK
AhnLab-V3 	5.0.0.2 	2009.11.05 	EICAR_Test_File
AntiVir 	7.9.1.53 	2009.11.04 	Eicar-Test-Signature
Antiy-AVL 	2.0.3.7 	2009.11.05 	AVTEST/EICAR.ETF
Authentium 	5.2.0.5 	2009.11.05 	EICAR_Test_File
Avast 	4.8.1351.0 	2009.11.04 	EICAR Test-NOT virus!!!
AVG 	8.5.0.423 	2009.11.05 	EICAR_Test
BitDefender 	7.2 	2009.11.05 	EICAR-Test-File (not a virus)
CAT-QuickHeal 	10.00 	2009.11.05 	EICAR Test File
ClamAV 	0.94.1 	2009.11.05 	Eicar-Test-Signature
Comodo 	2846 	2009.11.05 	Teststring.Eicar
DrWeb 	5.0.0.12182 	2009.11.05 	EICAR Test File (NOT a Virus!)
eSafe 	7.0.17.0 	2009.11.04 	EICAR Test File
eTrust-Vet 	35.1.7103 	2009.11.04 	the EICAR test string
F-Prot 	4.5.1.85 	2009.11.04 	EICAR_Test_File
F-Secure 	9.0.15370.0 	2009.11.04 	EICAR_Test_File
Fortinet 	3.120.0.0 	2009.11.05 	EICAR_TEST_FILE
GData 	19 	2009.11.05 	EICAR-Test-File
Ikarus 	T3.1.1.74.0 	2009.11.05 	EICAR-ANTIVIRUS-TESTFILE
Jiangmin 	11.0.800 	2009.11.05 	EICAR-Test-File
K7AntiVirus 	7.10.888 	2009.11.04 	Eicar-Test-File
Kaspersky 	7.0.0.125 	2009.11.05 	EICAR-Test-File
McAfee 	5792 	2009.11.04 	EICAR test file
McAfee+Artemis 	5792 	2009.11.04 	EICAR test file
McAfee-GW-Edition 	6.8.5 	2009.11.05 	Virus.Eicar-Test-Signature
Microsoft 	1.5202 	2009.11.05 	Virus:DOS/EICAR_Test_File
NOD32 	4574 	2009.11.04 	Eicar test file
Norman 	6.03.02 	2009.11.04 	EICAR_Test_file_not_a_virus!
nProtect 	2009.1.8.0 	2009.11.05 	EICAR-Test-File
Panda 	10.0.2.2 	2009.11.04 	EICAR-AV-TEST-FILE
PCTools 	7.0.3.5 	2009.11.05 	EICAR_Test_File
Prevx 	3.0 	2009.11.05 	Low Risk Test Virus
Rising 	21.54.30.00 	2009.11.05 	EICAR-Test-File
Sophos 	4.47.0 	2009.11.05 	EICAR-AV-Test
Sunbelt 	3.2.1858.2 	2009.11.05 	EICAR (v)
Symantec 	1.4.4.12 	2009.11.05 	EICAR Test String
TheHacker 	6.5.0.2.061 	2009.11.05 	EICAR_Test_File
TrendMicro 	9.0.0.1003 	2009.11.05 	Eicar_test_file
VBA32 	3.12.10.11 	2009.11.04 	EICAR-Test-File
ViRobot 	2009.11.5.2022 	2009.11.05 	EICAR-test
VirusBuster 	4.6.5.0 	2009.11.04 	EICAR_test_file

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
kkesler

Messages: 33
Karma: 0
Send a private message to this user
I was joking about sending it to you. Very Happy

That is a neat site. Results from a .zip that came through this morning, McAfee didn't pick it up.

http:// www.virustotal.com/analisis/7c90dcaac20ffddc99f7e219a11ed785 e4c9c16ca9d043d9e972f6a90d8b5157-1257424440

Result: 29/41 (70.73%)

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.05 -
AhnLab-V3 5.0.0.2 2009.11.05 -
AntiVir 7.9.1.53 2009.11.05 TR/Spy.ZBot.gah
Antiy-AVL 2.0.3.7 2009.11.05 Trojan/Win32.Zbot.gen
Authentium 5.2.0.5 2009.11.05 W32/Bifrost.C.gen!Eldorado
Avast 4.8.1351.0 2009.11.05 Win32:Malware-gen
AVG 8.5.0.423 2009.11.05 PSW.Generic7.APIE
BitDefender 7.2 2009.11.05 Trojan.Spy.Zbot.CGG
CAT-QuickHeal 10.00 2009.11.05 TrojanSpy.Zbot.gen
ClamAV 0.94.1 2009.11.05 Trojan.Zbot-6303
Comodo 2848 2009.11.05 TrojWare.Win32.TrojanSpy.Zbot.Gen
DrWeb 5.0.0.12182 2009.11.05 Trojan.Proxy.7778
eSafe 7.0.17.0 2009.11.04 Win32.TRCrypt.XPACK
eTrust-Vet 35.1.7103 2009.11.04 -
F-Prot 4.5.1.85 2009.11.04 W32/Bifrost.C.gen!Eldorado
F-Secure 9.0.15370.0 2009.11.04 -
Fortinet 3.120.0.0 2009.11.05 W32/Zbot!tr
GData 19 2009.11.05 Trojan.Spy.Zbot.CGG
Ikarus T3.1.1.74.0 2009.11.05 Trojan-Spy.Win32.Zbot
Jiangmin 11.0.800 2009.11.05 -
K7AntiVirus 7.10.888 2009.11.04 -
Kaspersky 7.0.0.125 2009.11.05 Trojan-Spy.Win32.Zbot.gen
McAfee 5792 2009.11.04 -
McAfee+Artemis 5792 2009.11.04 Artemis!A243C4AD0351
McAfee-GW-Edition 6.8.5 2009.11.05 Trojan.Spy.ZBot.gah
Microsoft 1.5202 2009.11.05 PWS:Win32/Zbot.gen!R
NOD32 4575 2009.11.05 Win32/Spy.Zbot.UN
Norman 6.03.02 2009.11.05 W32/Zbot.DBB
nProtect 2009.1.8.0 2009.11.05 -
Panda 10.0.2.2 2009.11.04 Trj/Sinowal.DW
PCTools 7.0.3.5 2009.11.05 Trojan.Zbot
Prevx 3.0 2009.11.05 -
Rising 21.54.33.00 2009.11.05 -
Sophos 4.47.0 2009.11.05 Mal/EncPk-LE
Sunbelt 3.2.1858.2 2009.11.05 Trojan-Spy.Win32.Zbot.gen
Symantec 1.4.4.12 2009.11.05 Trojan.Zbot!gen2
TheHacker 6.5.0.2.061 2009.11.05 Trojan/Spy.Zbot.gen
TrendMicro 9.0.0.1003 2009.11.05 TSPY_ZBOT.WKLA
VBA32 3.12.10.11 2009.11.04 Trojan-Spy.Win32.Zbot.3
ViRobot 2009.11.5.2023 2009.11.05 -
VirusBuster 4.6.5.0 2009.11.04 -
Additional information
File size: 77451 bytes
MD5 : f52b8712cb4740e10b94fa4891be1b0f
SHA1 : fab78503267e0ea0cd7c3e906a781c70390edd14
SHA256: 7c90dcaac20ffddc99f7e219a11ed785e4c9c16ca9d043d9e972f6a90d8b 5157
TrID : File type identification
ZIP compressed archive (100.0%)
ssdeep: 1536:9XJ4EoBx3aPVAlOBjRYrXYx+BzdwDS6d1YbOiLNZKhdzJQGOUFV9T:c dKPVoCYr5ZqnmNGnBT
PEiD : -
RDS : NSRL Reference Data Set
  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
McAfee doesn't pick it up. That is not Kerio's fault. That's why some products (like Micro$oft's Forefront) use multiple AV engines. In KMS, you can only chose one.

If you are not happy with the McAfee engine, you can chose another one in KMS.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
Previous Topic: Cannot Access Webmail from outside
Next Topic: Verizon Droid - Will it work with Kerio?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 16:22:19 CET 2017

Total time taken to generate the page: 0.00485 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.