Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Sophos: How to scan mailstore
  •  
kgpj

Messages: 17
Karma: 0
Send a private message to this user
I've been afflicted with spam with a malware "system progressive protection". I believe it came with a zip file and someone opened it and got infected. Luckily, I've dealt with this before and removed it but I can't believe it wasn't caught.

We have Norton endpoint at work but I excluded the mailstore since this will significantly slow down Kerio. So, is there a way to scan the mailstore using the built in Sophos? I want to do a full scan on the mailstore not just the incoming that I believe it's configured, well according to the admin config anyways.

We're using Kerio 7.4.1, Sophos AV is turned on and the virus db version is updated.
  •  
Vicky

Messages: 656

Karma: 81
Send a private message to this user
Hi,

This is not possible. The Sophos plugin can only scan emails as they are processed you cannot set it to scan a whole mailstore.

Vicky
  •  
kgpj

Messages: 17
Karma: 0
Send a private message to this user
Thanks for the info, what would you suggest to let endpoint ran in the mailstore to scan and remove any malware/virus attachements?
  •  
Lucian Maly (Kerio)

Messages: 136
Karma: 8
Send a private message to this user
That is highly unrecommended. If your antivirus will be scanning/locking (or even removing) the same files that Kerio is accessing/expecting, you will face whole lot of problems. As a matter of fact, we ask users to put Kerio folder and store folder to the Antivirus exception list (so resident shield will NOT scan those folders).

Kerio Technologies AU Pty Ltd.
  •  
jfitzell

Messages: 60
Karma: 0
Send a private message to this user
This is an interesting issue though, particularly given Kerio's recent focus on Sophos only.

I've receive numerous emails that I could tell were spam and the attachments were probably viruses but had not been picked up by Kerio. I forwarded them to an online scanning service and my ISP picked them up as it bounced out my SMTP path. ISP's use fairly lax scanners so that they don't inadvertently mess with customer emails, in other words it's a bog standard virus that should have been picked up by every scanner... yet Sophos didn't pick it up. Which is why the AV tests that I've seen have never ranked Sophos terribly highly relative to the other big name players like F-Secure etc (or McAfee who Kerio switched from).
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
To get around this, you will probably have to do what MS Exchange admins have done since the dawn of time: put the mail server behind a spam- and virus scanning SMTP gateway. We do it for the same reasons you have: to get a "second opinion" on the virus scan.

It does not do wonders for the TCO, but it works. And as an aside and my proverbial two cents: if you have more than a mom & pop operation, the hassle of running a Kerio Connect server is rapidly approaching the constant headaches of running an MS Exchange server. Fair enough, since internet mail IS heavy machinery.
  •  
tonyswu

Messages: 271
Karma: 5
Send a private message to this user
I've run into situations where a virus would get through on Sophos on the mail server, but get picked up by Sophos I have installed on my computer. Kerio support says that the virus probably was not yet in the definition at the time when it was received on the mail server. I haven't gotten around to prove them right or wrong.
  •  
kgpj

Messages: 17
Karma: 0
Send a private message to this user
Indeed, some still went through, maybe TorW solution is ideal to add another layer of security. But I'm not sure if I can justify this expense to my superior.

On a side note, I know I have old malware that has been backup and when it's stored to the fileserver, norton detects it and put it to quarantine. That's why I remember when I did a restore it failed since some of the archives where missing.

Would you suggest to put our mailserver down and perform a one time scan to get rid of all the old malware in the attachment?
  •  
jfitzell

Messages: 60
Karma: 0
Send a private message to this user
kgpj wrote on Fri, 07 December 2012 10:23
Would you suggest to put our mailserver down and perform a one time scan to get rid of all the old malware in the attachment?


Unfortunately I don't know the answer to that but I'd be concerned that it might corrupt the datastore somehow (for that specific email at least if not the rest of the mail).

I agree with TorW regarding multiple inspection points/products, I just liked that the plugin architecture made it easy to do this in one spot without needing something else in front.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
kgpj wrote on Fri, 07 December 2012 00:23
Indeed, some still went through, maybe TorW solution is ideal to add another layer of security. But I'm not sure if I can justify this expense to my superior.

You can always sugar the pill by mentioning that the gateway can also function as a backup MX. We set ours up with 100% open source (Exim 4, ClamAV, SpamAssassin) on a relatively cheap server. It's far from free though.
  •  
puretech

Messages: 118
Karma: 5
Send a private message to this user
I also have similar emails passed through where spammers have a zip file containing exe file attached to the email.

Surely, exe files are most suspicious files so it should have been scanned.

But anyway, I am also thinking of an additional security layer similar to what TorW has suggested. Although I will be using an external services just because it will provide backup MX too in case our network is down etc. Plus because our business park is not blessed with Fibre yet, we are on a low bandwidth, so this will leave most crap before reaching us. Oh and the good part is the price!!! dead cheap.. will come to like 40 quid a year for one domain.
  •  
derek_500

Messages: 40
Karma: 0
Send a private message to this user
Was this question ever answered - what is recommended to scan the existing mail store? I'm looking for a way to hunt and quarantine emails that were received before a definition file update, for example. We've been contemplating the usefulness of the endpoint outlook plugins and the like versus client performance. Without a way to go back and scan the entire store periodically I'm not going to consider excluding the client's mail store from endpoint scans!
We are already using an external MX filter which has greatly cut down on the spam and virus reception (and massively reduced the inbound traffic to our server) but I'm sure there are still lingering attachments that should be scanned. We have a few clients that use webmail instead of Outlook, and it would be nice to see a server-side utility to scan the full store.
I would hate to take the server offline for hours at a time to do this, but it would be really nice if the integrated Sophos would look at the full mail store on a periodic basis. (weekly or monthly even, could schedule for off-hours so performance hit wouldn't be noticable)
Thanks!
  •  
My IT Indy

Messages: 1262
Karma: 40
Send a private message to this user
The solution is to use a 3rd party email scanner and then have it forward the email to your Kerio server.

-
My IT Indy
Kerio Certified Reseller and Hosted Provider
http://www.myitindy.com
  •  
derek_500

Messages: 40
Karma: 0
Send a private message to this user
Yes, that makes sense for incoming mail, which we do. But what about existing mail? What about virus definitions released at a later time that include an update covering a file already sitting on your server? Do you just rely on client side protection and never scan your store again?
Previous Topic: DKIM cpanel
Next Topic: iOS devices starting to have a problem with Connect 8.3 - solved
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Aug 19 09:15:50 CEST 2017

Total time taken to generate the page: 0.00554 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.