Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Antivirus Scanning
  •  
iigs

Messages: 81
Karma: 0
Send a private message to this user
Just recently, I have noticed that the Symantec Antivirus scheduled scan on the Windows server that holds our backup files from KMS has been picking up viruses in the mailstore backup. We do have the integrated Antivirus (the KMS runs on OSX), but this doesn't seem to have picked them up.

Is this normal behaviour, and is there a way to run a scan on the mailstore?

thanks,
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
I've had Symantec incorrectly finding trojan horses before. It would report a virus, where there REALLY was none. See what happens if you scan the store with another AV product. You can for example put Portable ClamAV (http://portableapps.com/apps/utilities/clamwin_portable) on a USB stick and scan with that.

Be aware that letting anything other than KMS changing the store corrupts it, so you should then reindex etc.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
By integrated, I assume you mean McAfee. This is why we got away from the built-in McAfee. It can happen with any AV scanner that a virus gets through before the definition files get updated to catch a specific virus, but it happened too often with McAfee. They are too slow to get updates out. That, combined with no heuristic scanning ability let a number of nasty ones through the mail server on more than one occasion. Fortunately our desktop scanners caught them before they could do any damage to any systems.

Scott
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
Notwithstanding the issues with McAfee, I have it happen several times that Symantec found viruses where there were none... So I would still be very cautious with concluding that there indeed are viruses in the TS store, because Symantec says so. I would like to see it confirmed by other AV-scanners.
  •  
iigs

Messages: 81
Karma: 0
Send a private message to this user
IT seems the messages that SYmantec claims are infected were copied to the server by one of our Mac users from their old POP box. Out of interest, does the integrated McAffe only scan incoming messages?

I have tried scanning a copy of the store with ClamWin, but it finds nothing.

I've seen symantec go haywire on other platform mail stores before, but it usually claims more or less the whole store is infrected. In my case Symantec is only claiming certain messages in one specific folder are infected.

With the user being a Mac user, with no local AV, it's just making me a little paranoid, plus I've had this exact setup for a few mnonths now and our weekend scan has never picked anything up before.

many thanks for replying,

[Updated on: Fri, 18 August 2006 13:24]

  •  
iigs

Messages: 81
Karma: 0
Send a private message to this user
Just tried scanning with BitDefender and AVG. They both report the same infections on the mail store, so it would seem the integrated McAffe isn't scanning messages copied in to the mailstore over imap.

Could someone form Kerio confirm this please?

[Updated on: Mon, 21 August 2006 12:36]

  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
No. It only scans incoming SMTP. It would create a huge load on the server to scan every message as it's moved, copied, read, etc. That's usually the job of the client AV scanner to scan mail as it's accessed.

Scott
  •  
guig

Messages: 64
Karma: 0
Send a private message to this user
Hi !

I assume that the option "Archive message before antivirus ..." in the "Backup" section is not checked ?
Probably a stupid question but ... ;-)

[Updated on: Mon, 21 August 2006 15:19]

  •  
Kerio_ktrumbull

Messages: 597
Karma: 2
Send a private message to this user
We scan both incoming and outgoing SMTP traffic. We also scan messages downloaded via the POP3 Download feature within the Admin Console.

Messages that are downloaded via a client and 'copied' to the server via IMAP are not scanned. This is the most common way that viruses gets in the mail store.

Kevin Trumbull
Kerio Technical Support Team Leader
http://support.kerio.com
  •  
iigs

Messages: 81
Karma: 0
Send a private message to this user
Thanks for clarifying things, appreciated.

I have been doing some tests with the eicar test file, and none of the client av solutions I have tried (SYmantec Corporate, Kaspersky, AVG) seem to pick it up when using the KOC.

Maybe a better term for the McAffe AV would have been 'bundled' rather than 'integrated'. Slightly less misleading.

  •  
iigs

Messages: 81
Karma: 0
Send a private message to this user
sedell wrote on Mon, 21 August 2006 13:24

No. It only scans incoming SMTP. It would create a huge load on the server to scan every message as it's moved, copied, read, etc. That's usually the job of the client AV scanner to scan mail as it's accessed.



That's bad practice, leaving anything to the client AV. The client AV is the last resort. It's not uncommon to see 3 or 4 AV solutions within the same mail system.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
I'm not arguing that, but KMS isn't going to catch file move operations at all. Especially when a PST is being used.

Scott
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
iigs wrote on Tue, 22 August 2006 09:00

I have been doing some tests with the eicar test file, and none of the client av solutions I have tried (SYmantec Corporate, Kaspersky, AVG) seem to pick it up when using the KOC.


This generally requires an Outlook add-in to scan mail in this fashion. Most client AV scanners will only scan POP3, some will also do SMTP, by intercepting communication to/from the mail server by default. Scanning IMAP or MAPI mail usually requires the separate add-in for Outlook.

Scott
  •  
iigs

Messages: 81
Karma: 0
Send a private message to this user
Yes of course, you are right there sorry, I've been hiding under a Mac for far too long.

Do you have any reccomendations for a client AV? I have been thinking about getting rid of Symantec for a while. For a start nit just hogs the system resources.

  •  
DSARick

Messages: 46
Karma: 0
Send a private message to this user
I recommend using AVG for clients. Lean and thorough.

Not to mention it comes with a 2 year subscription vs 1 year for most other AV products.

[Updated on: Thu, 24 August 2006 21:40]

Previous Topic: 6.20-6.21 and footer
Next Topic: Message monitoring
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Nov 23 08:22:09 CET 2017

Total time taken to generate the page: 0.00496 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.