Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » ClamAV actually finding any viruses?
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Who is using ClamAV and is it actually catching very much? I am running version 97.1 from oss.netfarm.it, enabled logging yesterday in both ClamAV and Kerio Debug AV messages, and even though our workstation AV is finding virus attachements to the emails, ClamAV seems to think everything is clean. Today I have enabled ClamAV's verbose logging, so we will see what happens overnight.

Anyone having better success with ClamAV?
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
No point in wondering. Send yourself the dummy EICAR "virus" and see if ClamAV catches it. It is supposed to. Also, is freshclam running so new AV signatures are downloaded?

We have ClamAV on our gateway, and it caches a couple of dozen malware-mails per day.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
It finds the eicar virus, but that is it, so you can see my concern. Where is your copy of it from?
  •  
gmaoret

Messages: 49
Karma: 2
Send a private message to this user
Can you explai your procedure to install 97.1? I'm using v95...

[Updated on: Thu, 01 December 2011 11:17]

  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
The EICAR virus is just a harmless row of characters which most (all?) AV products recognise as a virus. It looks like this and is usually inside a file called EICAR.COM.
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


I've had this copy lying around for years.

And your freshclam is OK?
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Yes, freshclam is updating fine. I'll see in a couple of hours what the log shows.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Search the forums for the message I posted before. You need the program from oss.netfarm.it.
  •  
brandonh75

Messages: 51
Karma: 0
Send a private message to this user
Our WatchGuard firewall catches most of the viruses that we get, but occasionally one gets through that ClamAV catches. We also use ClamSup (from http://hideout.ath.cx/clamav/) so ClamAV also works as anti-spam and catches several spam emails per day.

We have had a problem lately where KC has trouble connecting to ClamAV every couple days. Restarting KC and ClamAV gets it working again. Not sure what's up with that yet. But when it's working it works. Smile
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Just checked my Kerio AV Statistics, Kerio Debug log showing the AV Checking, and the ClamAV verbose logging, and no one is sending me any viruses. Though I would really like to think that, my workstation AV says otherwise.

The only virus ClamAV finds is the eicar one every time I restart ClamAV. Beyond that, ClamAV says everything is OK. I do not have any service in front of the mail server that would be filtering out the bad emails.

Which happens first? ClamAV or Spam Assassin? Is SP killing the emails first before Clam? I have my doubts.
  •  
ccjwells

Messages: 192
Karma: 0
Send a private message to this user
I have ClamAV running on our server here and it is definitely catching viruses. It occasionally misses something, but I haven't heard any reports from my users about viruses getting through.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
What in Kerio's AntiVirus section do you have entered for the values under the options button? I don't think they would affect this, especially since Kerio is able to verify Clam is running. I have Address 127.0.0.1, IgnoreStartupErrors 0, Port 3310, and StartupTimeout 90. Those are the default settings that were there when I set this up.

Or maybe something I have in the ClamAV clam.conf file. Anyone with a setup catching things willing to share their clam.conf?
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Here is a sample from my clamd.log. The time gaps are just because I stripped out repetitive entries. According the log, after the initial eicar virus, everything else is OK.


Wed Nov 30 13:30:57 2011 -> +++ Started at Wed Nov 30 13:30:57 2011
Wed Nov 30 13:30:57 2011 -> clamd daemon 0.97.1 (OS: win32, ARCH: x86_64, CPU: x86_64)
Wed Nov 30 13:30:57 2011 -> Log file size limited to 1048576 bytes.
Wed Nov 30 13:30:57 2011 -> Reading databases from c:\clamav\data
Wed Nov 30 13:30:57 2011 -> Not loading PUA signatures.
Wed Nov 30 13:30:57 2011 -> Bytecode: Security mode set to "TrustSigned".
Wed Nov 30 13:31:01 2011 -> Loaded 1086270 signatures.
Wed Nov 30 13:31:02 2011 -> TCP: Bound to address 127.0.0.1 on port 3310
Wed Nov 30 13:31:02 2011 -> TCP: Setting connection queue length to 200
Wed Nov 30 13:31:02 2011 -> Limits: Global size limit set to 104857600 bytes.
Wed Nov 30 13:31:02 2011 -> Limits: File size limit set to 31457280 bytes.
Wed Nov 30 13:31:02 2011 -> Limits: Recursion level limit set to 10.
Wed Nov 30 13:31:02 2011 -> Limits: Files limit set to 15000.
Wed Nov 30 13:31:02 2011 -> Archive support enabled.
Wed Nov 30 13:31:02 2011 -> Algorithmic detection enabled.
Wed Nov 30 13:31:02 2011 -> Portable Executable support enabled.
Wed Nov 30 13:31:02 2011 -> ELF support enabled.
Wed Nov 30 13:31:02 2011 -> Mail files support enabled.
Wed Nov 30 13:31:02 2011 -> OLE2 support enabled.
Wed Nov 30 13:31:02 2011 -> PDF support enabled.
Wed Nov 30 13:31:02 2011 -> HTML support enabled.
Wed Nov 30 13:31:02 2011 -> Phishing: Always checking for ssl mismatches
Wed Nov 30 13:31:02 2011 -> Self checking every 600 seconds.
Wed Nov 30 13:31:02 2011 -> Listening daemon: PID: 10808
Wed Nov 30 13:31:02 2011 -> MaxQueue set to: 100
Wed Nov 30 13:31:55 2011 -> instream(127.0.0.1@61977): Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
Wed Nov 30 13:31:55 2011 -> instream(127.0.0.1@61977): OK
Wed Nov 30 13:41:40 2011 -> No stats for Database check - forcing reload
Wed Nov 30 13:41:40 2011 -> Reading databases from c:\clamav\data
Wed Nov 30 13:41:44 2011 -> Database correctly reloaded (1086270 signatures)
Wed Nov 30 13:49:29 2011 -> instream(127.0.0.1@62188): OK
Wed Nov 30 13:50:27 2011 -> Reading databases from c:\clamav\data
Wed Nov 30 13:50:31 2011 -> Database correctly reloaded (1086278 signatures)
Wed Nov 30 13:50:58 2011 -> instream(127.0.0.1@62187): OK
Wed Nov 30 13:51:44 2011 -> Client disconnected (FD 1388)
Wed Nov 30 13:51:44 2011 -> instream(127.0.0.1@62188): OK
Wed Nov 30 14:01:10 2011 -> SelfCheck: Database status OK.
Wed Nov 30 14:48:33 2011 -> instream(127.0.0.1@62941): OK
Wed Nov 30 14:48:33 2011 -> instream(127.0.0.1@62941): OK
Wed Nov 30 14:50:29 2011 -> Reading databases from c:\clamav\data
Wed Nov 30 14:50:33 2011 -> Database correctly reloaded (1086279 signatures)
Wed Nov 30 14:52:18 2011 -> instream(127.0.0.1@62941): OK
Wed Nov 30 14:56:06 2011 -> instream(127.0.0.1@62941): OK
Wed Nov 30 15:42:26 2011 -> SelfCheck: Database status OK.
Wed Nov 30 15:45:44 2011 -> instream(127.0.0.1@63470): OK
Wed Nov 30 19:42:28 2011 -> SelfCheck: Database status OK.
Wed Nov 30 19:48:10 2011 -> instream(127.0.0.1@49944): OK
Wed Nov 30 19:50:38 2011 -> Reading databases from c:\clamav\data
Wed Nov 30 19:50:42 2011 -> Database correctly reloaded (1086285 signatures)
Wed Nov 30 19:57:20 2011 -> instream(127.0.0.1@49944): OK
Wed Nov 30 20:01:13 2011 -> SelfCheck: Database status OK.
Thu Dec 01 01:50:14 2011 -> instream(127.0.0.1@55027): OK
Thu Dec 01 01:50:49 2011 -> Reading databases from c:\clamav\data
Thu Dec 01 01:50:53 2011 -> Database correctly reloaded (1086286 signatures)
Thu Dec 01 01:53:34 2011 -> instream(127.0.0.1@54982): OK
Thu Dec 01 01:53:34 2011 -> Client disconnected (FD 1456)
Thu Dec 01 05:00:51 2011 -> instream(127.0.0.1@57498): OK
Thu Dec 01 13:50:12 2011 -> instream(127.0.0.1@63931): OK
Thu Dec 01 13:51:18 2011 -> Reading databases from c:\clamav\data
Thu Dec 01 13:51:22 2011 -> Database correctly reloaded (1086346 signatures)
Thu Dec 01 13:52:20 2011 -> instream(127.0.0.1@63931): OK
Thu Dec 01 15:38:34 2011 -> instream(127.0.0.1@65217): OK
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Update:

My ClamAV has found 4 items out of 22,500 emails.
1 copy of a Zbot, and 3 phishing emails.

So I believe my installation is functioning correctly. Apparently I must be on the bleeding edge of the viruses that we receive, since they are not in the Clam signature database. Yes, my freshclam is running and pulling updates on a very regular basis.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
For anyone following this thread:

I have kept a few copies of the virus attachments we have received, and I submit them to virustotal.com to see which AV detects it and which ones don't. Clam used to be fairly quick about recognizing new malware, but it appears to me that they have moved to the end of the pack on signature updates for new malware.

Just my personal experience...
Previous Topic: way to limit user self-setup?
Next Topic: ┬┐performance went down?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 05:54:14 CET 2017

Total time taken to generate the page: 0.00491 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.