Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Sophos AV - why am I paying for this?
  •  
zebby

Messages: 233
Karma: 1
Send a private message to this user
Using KC 8.4.2
In the security log:
[09/Jun/2015 14:18:04] Sophos database has been successfully updated. Sophos Scanning Engine (5.15.9242179/3.60.0.0) is now active.

27 minutes later, this message with a Word document attached sails through and get delivered:
09/Jun/2015 14:45:43] Recv: Queue-ID: 5576edf8-0000dd4a, Service: SMTP, From: <gulletuz58@rmc101.com>, To: <user@ourdomain.co.uk>, Size: 123843, Sender-Host: 118.200.234.95, Subject: fraudulent cc charge, Msg-Id: <WM7LHZNV.2044202<_at_>rmc101.com>

The attachment has a virus that is immediately picked up by Sophos on the client:
File "C:\Users\deuser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\GP9SZIER\statement.doc" belongs to virus/spyware 'Troj/DocDl-QI'.

According to the Sophos website this virus was first seen on June 8th so why didn't Sophos in KC pick it up?
  •  
Brian Carmichael (Kerio)

Messages: 645
Karma: 65
Send a private message to this user
Make sure you are using also the Sophos Live Protection.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
zebby

Messages: 233
Karma: 1
Send a private message to this user
I am but KC Sophos still missed it!
  •  
Brian Carmichael (Kerio)

Messages: 645
Karma: 65
Send a private message to this user
If you forward the message is it now caught? Perhaps the database version on the server was not quite as up to date as on your client.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
zebby

Messages: 233
Karma: 1
Send a private message to this user
It gets caught now yes but we're now 2 days after Sophos say they detect it!

On their website Sophos say 'protection available since June 8th at 15:15' for this virus yet nearly 24 hours after that the Sophos on KC missed it.
  •  
ComputerBudda

Messages: 104
Karma: 5
Send a private message to this user
I wonder if Sophos updates the definition files of all of their products at the same.
  •  
zebby

Messages: 233
Karma: 1
Send a private message to this user
I wondered that but they are exactly the same.
The only difference seems to be KC was updated 15 minutes behind our clients (currently it is anyway)
But nearly 24 hours passed between Sophos first detecting it and KC Sophos not spotting it and passing it through, which is quite poor.
  •  
vomsupport

Messages: 127
Karma: 2
Send a private message to this user
What interval have you set to check for updates?
  •  
zebby

Messages: 233
Karma: 1
Send a private message to this user
  •  
valshare

Messages: 79
Karma: 0
Send a private message to this user
i am in he same boat. Often KC with Sophos and live protect still miss a virus. On the Clients are Eset Security installed and save us. Both are updated every hour
  •  
j.a.duke

Messages: 347
Karma: 10
Send a private message to this user
Honestly, I felt far more secure when ClamAV was still an option for Kerio to use.

The hit rate seemed to be better and it often caught things that weren't viruses per se, but still should be stopped.

I'd absolutely love to run ClamAV again on our Mac-based Kerio install, but that doesn't seem to be a priority. Apparently Kerio has made available Linux & Windows plug-ins, but not Mac.

Cheers,
Jon
  •  
Radek Sip (Kerio)

Messages: 1319
Karma: 48
Send a private message to this user
Antivirus SDK for Kerio Products

The SDK includes a public API that can be used to write plugins for third-party antivirus solutions, together with sample plugin source code, ClamAV® plugin source code, and testing binaries. Linux is the supported platform, both for development and as the deployment target.

If you want to start using the plugin now and skip compilation, we have prepared the Linux plugin in binary form directly for download. Do not worry if you use Windows. Our community took care of it and created the necessary DLL file.

Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
zebby

Messages: 233
Karma: 1
Send a private message to this user
Radek Sip (Kerio) wrote on Tue, 16 June 2015 14:44
Antivirus SDK for Kerio Products

The SDK includes a public API that can be used to write plugins for third-party antivirus solutions, together with sample plugin source code, ClamAV® plugin source code, and testing binaries. Linux is the supported platform, both for development and as the deployment target.

If you want to start using the plugin now and skip compilation, we have prepared the Linux plugin in binary form directly for download. Do not worry if you use Windows. Our community took care of it and created the necessary DLL file.

So this is the solution to the integrated Sophos failing?
  •  
Radek Sip (Kerio)

Messages: 1319
Karma: 48
Send a private message to this user
j.a.duke: see this page, in the discussion is how to use ClamAV plugin with OS X. (functionality not tested)
https://www.kerstner.at/en/2013/01/clamav-plugin-for-kerio-c onnect-8-and-higher/

Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
j.a.duke

Messages: 347
Karma: 10
Send a private message to this user
Radek Sip (Kerio) wrote on Tue, 16 June 2015 10:46
j.a.duke: see this page, in the discussion is how to use ClamAV plugin with OS X. (functionality not tested)
https://www.kerstner.at/en/2013/01/clamav-plugin-for-kerio-c onnect-8-and-higher/


Radek,

Thank you for nudging me to check that.

The comment you reference was in response to my comment, but I haven't checked the page since I made that comment.

I will try the process and report back, both there and here with my results.

Again, thanks for seeing that and posting it here.

Cheers,
Jon
Previous Topic: Manually zipping emails to archive
Next Topic: Authenticate users to AD from DMZ
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Apr 28 23:47:53 CEST 2017

Total time taken to generate the page: 0.01281 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.