Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Why does Kerio never seem to stop Zipped viruses?
  •  
phil_w

Messages: 82
Karma: 1
Send a private message to this user
We constantly get spam through containing .zip attachment viruses but Kerio is configured to stop these?

Its takes the desktop version of sophos to spot it on the client machines. For example - from just now - here's the report from Sophos on my MacBook...

Event description: Malware not cleaned up: 'Troj/HkMain-AY' at '/Users/xx/Library/Mail/V2/ExchangeIMAP-xx/Public Folders.mbox/Info and Enquiries.mbox/4072A343-E9D4-47C3-9694-8E4B7C1CD48C/Data/3/7 /1/1/Attachments/1173794/2/INV211457.zip'
Severity: High


Surely this should be dealt with by the mail server?

Anyone out there thinking the same?

Cheers
  •  
ralf.huwald

Messages: 6
Karma: 1
Send a private message to this user
Same problem here.

I discussed this problem with our dealer. He meant, it is a problem of the scanner, which has not the functionality like other desktop scanners. There is something missing like a heuristic search, or so...

I setup kerio connect to filter attachments like *.zip and to forward these emails to another internal postbox. Most spam, we receive, contains some *.zip files with viruses in it.

When i open my Apple Mail app, my personal virus scanner (also Sophos) recognizes these spam mails as Virus.

I don't know, how other mail servers handle zip attachments, a good way would be, when kerio connect would unzip the attachment(s) and after that filter attachments like *.exe, etc...

Ralf
  •  
maxfontana

Messages: 49
Karma: 0
Send a private message to this user
Personally I consider the integrated AV in Kerio absolutely useless. It's been working for 12 months now and it never stopped a single virus!!!
I don't rely on it anymore. Luckily the combination of watchguard xtm525 in front of it and webroot installed on my Lan's pc is working a 'bit better....
  •  
Lukas Petrlik (Kerio)

Messages: 117
Karma: 7
Send a private message to this user
phil_w wrote on Tue, 16 September 2014 11:01
Event description: Malware not cleaned up: 'Troj/HkMain-AY' at '/Users/xx/Library/Mail/V2/ExchangeIMAP-xx/Public Folders.mbox/Info and Enquiries.mbox/4072A343-E9D4-47C3-9694-8E4B7C1CD48C/Data/3/7 /1/1/Attachments/1173794/2/INV211457.zip'

Protection against this threat became available on our server on 13 Sep 2014 11:03 UTC.

When did the infected email arrive? At which time the was the nearest AV update performed after the above mentioned time? (AV update times can be found in the security log.)
  •  
scottwilkins

Messages: 652
Karma: 7
Send a private message to this user
Just a word of thought on this topic. Remember and anti-virus is a black list. If a virus is so new (hours old...) then it's most likely not to have become part of this blacklist yet. Zipping viruses is a standard now for most malicious types. So if one passes through, it's probably brand new and not yet found for placement on the black list. The only true security is a whitelist, and e-mail seems to be the hardest place to implement a whitelist. I only whitelist DNS web sites for my folks, through categorization groups via the router. Not all routers can do this, which is sad. The internet is extremely unfriendly, and accessing only known sites and messages is extremely important.

I would like to see Kerio step up it's game by providing more info in the Kerio Client on where a message actually came from. The only way now is to "view source" from the context menu, which is EXTREMELY unfriendly. Today many viruses use social means to send forged e-mails from known recipients. And by knowing where the message REALLY came from can stop these types of attacks dead in their tracks. This info should be easier to get and easier to understand.

Bottom line, don't trust anything these days. Even things you think you trust. And the more tools we have to guard ourselves the better off we'll be. I hope Kerio moves in the right direction on this.

[Updated on: Wed, 17 September 2014 14:35]

  •  
jelockwood

Messages: 41
Karma: 1
Send a private message to this user
I have to agree with the general consensus here, the version of Sophos built-in to Kerio Connect is useless.

Last time I checked this, I made sure that Kerio Connect was up-to-date (it was), that the Sophos definitions as reported by the Kerio Connect dashboard were up-to-date (they were) and even clicked to force another update just in case. The same zipped virus still got through with no flagging or blocking by Kerio Connect/Sophos. However Sophos on a Mac spotted it instantly.

One would expect that Sophos in Kerio Connect and Sophos on a computer got their updates from the same source and should spot the same viri.

Considering I am effectively paying twice for Sophos this is a rip off. I spoke to Sophos and they said as far as they are concerned there is no problem. However as far as me and other posters in this thread are concerned clearly there is a problem.

I must admit I can't remember if I compared them then, but I have just now and the version of the Sophos Engine and virus database version reported in Kerio Connect and the desktop (Mac) version of Sophos are currently identical. So there is absolutely no reason why they should be so different in ability to detect viruses.

There is an option in the desktop version of Sophos to chose to scan or not scan zip files, there is no similar option in the settings in Kerio Connect. Only Kerio or maybe Sophos can tell us if the embedded Sophos does scan zip files.
  •  
Maerad

Messages: 158
Karma: 31
Send a private message to this user
Well, I just tried it with http://www.heise.de/security/dienste/Mails-mit-Viren-Dummies -777839.html .

Let them send you the zip/rar/zip with kyrillic mails (you get a mail with a link you have to open, otherwise they won't send you the mail with the testvirus).

In all cases (with debug enabled), sophos found the viruses and deleted them. It might be, that the integrated sophos really has no heuristic scanning, that would explain why the desktop version could find new ones and the integrated not.

Would be nice to get an answer from kerio, if that's the case. Anyway - we pay 50 € (25 Users) a year for the sophos antivir (anyone knows if we can run clamav as a second virus check?). ESET Mailsecurity for Kerio would be 230 €/3 year or 330 €/1 year on the kerio price (with 50€ less) ... and depending on the users, the price gap gets even wider.

Also I can't block zip files (employees would kill me) and in the past with sbs 2012/exchange and heristics, I had some bad experiences, when mails were deleted because of a false positive.

I tend to see the mailserver as first antivir test, second comes the local antivir I need anyway and last I actually TEACH our ppl here, so they can decide by them self if it's a virus or not. Most of the are glad to learn it, because they get tons of it at home.

And the last thing I don't understand here ... if you own a mac, why do you even CARE about it? There is a handfull of mac viruses out there, but if it's a .exe, you don't have to fear anything - can't be run anyway.
  •  
jelockwood

Messages: 41
Karma: 1
Send a private message to this user
Ah yes the perennial question viruses don't affect Macs so why worry.

(We will ignore the fact that while there are no Mac viruses there is some Mac malware.)

The answer is that while we generally don't need to worry about our own Macs, we do need to ensure we do not pass them on to poor old Windows users. If we did do so it would potentially affect our reputation with our customers.
  •  
Maerad

Messages: 158
Karma: 31
Send a private message to this user
jelockwood wrote on Mon, 29 September 2014 17:46
Ah yes the perennial question viruses don't affect Macs so why worry.

(We will ignore the fact that while there are no Mac viruses there is some Mac malware.)

The answer is that while we generally don't need to worry about our own Macs, we do need to ensure we do not pass them on to poor old Windows users. If we did do so it would potentially affect our reputation with our customers.


Oh, sorry, didn't mean it as an insult. I actually tried to be a bit funny and forgot the smiley Embarassed

I would be surprised if sophos could really find mac viruses/worms/whatever anyway.
  •  
jelockwood

Messages: 41
Karma: 1
Send a private message to this user
Quote:
Oh, sorry, didn't mean it as an insult. I actually tried to be a bit funny and forgot the smiley Embarassed

I would be surprised if sophos could really find mac viruses/worms/whatever anyway.


I was not taking offence, it was a serious answer.
  •  
Lukas Petrlik (Kerio)

Messages: 117
Karma: 7
Send a private message to this user
jelockwood wrote on Mon, 29 September 2014 12:35
I must admit I can't remember if I compared them then, but I have just now and the version of the Sophos Engine and virus database version reported in Kerio Connect and the desktop (Mac) version of Sophos are currently identical. So there is absolutely no reason why they should be so different in ability to detect viruses.
Scan results should be the same with the same engine and virus definitions. However, there can be a difference in the time when the scan is performed wrt when the virus definitions become available:
  1. The integrated antivirus scans emails on delivery. It may therefore happen that the infected email is delivered at a time when the definition of the virus it not yet known. The same virus can be detected later by another antivirus (or by the same antivirus, try e.g. sending the email to yourself) because its definition has become known in the meantime. (Unfortunately, the scan on the server cannot be postponed until the user actually wants to view the email.)
  2. Sophos recently added on-line queries for suspicious files to the standalone versions their antivirus. We plan to add similar functionality in an upcoming version of Connect.

Quote:
Only Kerio or maybe Sophos can tell us if the embedded Sophos does scan zip files.
Yes it does.
  •  
jelockwood

Messages: 41
Karma: 1
Send a private message to this user
Lukas Petrlik (Kerio) wrote on Tue, 30 September 2014 16:00

Scan results should be the same with the same engine and virus definitions. However, there can be a difference in the time when the scan is performed wrt when the virus definitions become available:
  1. The integrated antivirus scans emails on delivery. It may therefore happen that the infected email is delivered at a time when the definition of the virus it not yet known. The same virus can be detected later by another antivirus (or by the same antivirus, try e.g. sending the email to yourself) because its definition has become known in the meantime. (Unfortunately, the scan on the server cannot be postponed until the user actually wants to view the email.)



Absolutely if an email comes in earlier when the embedded version has not updated it might miss it. The point is that the desktop version running Sophos had been updated and spotted it. I then manually told Kerio to update its Sophos, and then deliberately forwarded the same infected email via our server and Kerio/Sophos still missed it. Kerio Connect had said it successfully checked for and installed any Sophos updates.

It would seem that even though the embedded version of Sophos and the desktop version both use the same engine and database (according to the version numbers) that Sophos are not providing the updates to the embedded version at the same time and this in turn suggests a different Sophos server provides the updates for the embedded version as compared to the desktop version. (My desktop version gets updates direct from Sophos not from an internal Sophos Enterprise Console.)

We are not talking about a time different of minutes either, it took well over an hour to possibly several hours before eventually the embedded version spotted this virus.

One could argue that if anything, the embedded version of Sophos being that it checks emails for entire servers and that email is the number one method of transmission of malware that Sophos should prioritise distributing updates to the embedded versions over the desktop versions and this would protect a greater number of users including those with no desktop anti-virus software.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
Looking over our emails that had detected malware attached, some of them were contained in zip files. I am running both Sophos and Clam AV's, and each of them had detected and tagged malware contained in attached zip files.
Previous Topic: iOS Profiles + IMAP + S/MIME (Bug)
Next Topic: Archive Index issue
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Aug 16 21:33:21 CEST 2017

Total time taken to generate the page: 0.00498 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.