antivirus program for mailenable

Discussions on webmail and the Professional version.
Post Reply
george612
Posts: 9
Joined: Mon Feb 24, 2003 12:27 pm
Location: Houston, Tx

antivirus program for mailenable

Post by george612 » Wed Feb 26, 2003 5:18 am

ok i read the literature you sent me and it is a start for antivirus protection with the professional version of mailenable but we need to intercept those viruses by listening on ports 25 and 110 before they enter
memory and do a lot of damage....the scandisk approach is a start to the
problem but by the time the viruses have entered memory and made it to
the hard disk it really is too late if they are capable of doing damage from
memory...please try to find an antivirus program that will listen on the proper ports and advise me where to purchase it.
Thanks a lot

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable » Wed Feb 26, 2003 6:48 am

George, just a tip - you may want to try hitting the post reply button rather than a new post for each message.

If you want to run it before it hits the server, you will need a separate piece of hardware. Viruses are mime encoded in messages (as most attachments) and therefore need to be extracted and scanned.
MailEnable does this in the same manner as other solutions.
It would mean having to install two copies of ME and routing messages from your internal server to your external server.

Also, I think that your concerns regarding loading viruses into memory may be a matter of misconception about how they work. Viruses need to be activated (ie:placed in a code segment) before thay can be executed. Loading them into the RAM is not really an issue.

I know of no case where scanning viruses within messages has placed the server at risk (unless ofcourse the virus is not detected and is then executed by a user action).
Regards, Andrew

george613

antivirus intercept

Post by george613 » Wed Feb 26, 2003 8:18 pm

well i have never actually written a virus..but to get to the code segment it seems like it would have to load into memory...in any case i am not making the distinction between viruses and worms...so do your comments
still hold for worms that could come in on ports 25 and 110.like they do on port 80.

george612
Posts: 9
Joined: Mon Feb 24, 2003 12:27 pm
Location: Houston, Tx

trying to post reply but some difficulty

Post by george612 » Wed Feb 26, 2003 8:56 pm

i don't know why it would not let me post a reply as george612..i had to use george613 which doesn't show up so i can review...i am trying again...
i wasn't making a technical distinction between viruses and worms....i merely included worm protection in my labelling of antivirus software....
to get to the code segment it would seem that a virus has to relocate in memory but this seems possible..in any case worms could be created by
malicious programmers to come in on ports 25 and 110 like they do on 80.
so a port scanning antivirus program should be beneficial for the future.
i read Chris comment about a McAffee port scanner email server antivirus
program...perhaps you could help him set up the software to get a working
solution.
Thanks a lot

Kiliman
Posts: 279
Joined: Mon Feb 03, 2003 2:44 pm
Location: Chesapeake, VA

Post by Kiliman » Wed Feb 26, 2003 10:03 pm

Yes, a worm could cause problems if there was a vulnerability in the mail server.

That is how worms like CodeRed worked. It exploited a buffer overflow bug in IIS which allowed the malicious code to execute.

As long as the server has no known vulnerabilities, you should be safe.

Kiliman

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable » Wed Feb 26, 2003 11:29 pm

George, I agree with Kiliman. With respect to worms, you should be fine as long as you make sure you have the latest Service Packs installed, hotfixes, etc. MailEnable actually had an incident in the past where ME could be attacked by buffer overflow (a worm) - this was obviously fixed some time ago.

My suggestion to you would be that A/V on the Mail Server is fine. If you want to make it more robust, minimise the number of additional/unnecessary services that are running on the box. This will make you less susceptible to worms.
Regards, Andrew

vnvjeep
Posts: 88
Joined: Tue Jun 25, 2002 3:01 pm
Location: Orlando, FL

virus/worms... oy veyy...

Post by vnvjeep » Fri Feb 28, 2003 2:57 am

George... you must be newbie... Welcome to the world of computing.

It is very rare that you see a worm/trojan/virus attack port 25/110... The mail server on that port is expecting certain commands using the SMTP/POP protocols for mail to come and go. If anything, the mailserver would just blow this worm/trojan off in a heartbeat. A worm/trojan/virus would not be able to infect the mailserver in this fashion. Like support said, the worst thing it could do is some sort of DOS... That is, '(D)enial (O)f (S)ervice'...

Many trojans out there just spam out tons of mail... with their infectious trojan attached to the message. Your mailserver will gladly take this message in, and store it in its database... very happily. But guess what? The server *still* is not infected. The user on the other end that ends up downloading this email to their local mailbox would have a 4,000,000,000 times higher chance of getting infected if they don't have any patches/service packs/virus scanners installed on their end, because *they* are the ones that will be opening up the email/attachment and potentially running this trojan/virus/worm.

Hope this makes things clearer...

L8r,
Mike

Kiliman
Posts: 279
Joined: Mon Feb 03, 2003 2:44 pm
Location: Chesapeake, VA

Re: virus/worms... oy veyy...

Post by Kiliman » Fri Feb 28, 2003 1:01 pm

vnvjeep wrote:It is very rare that you see a worm/trojan/virus attack port 25/110... The mail server on that port is expecting certain commands using the SMTP/POP protocols for mail to come and go. If anything, the mailserver would just blow this worm/trojan off in a heartbeat. A worm/trojan/virus would not be able to infect the mailserver in this fashion. Like support said, the worst thing it could do is some sort of DOS... That is, '(D)enial (O)f (S)ervice'...
While I agree that it is pretty rare for woms to attack a mailserver, it doesn't mean that just because it's a mailserver you are immune.

In fact ME admits that they had a buffer overflow problem that could have been used to attack.
support wrote:MailEnable actually had an incident in the past where ME could be attacked by buffer overflow (a worm) - this was obviously fixed some time ago.
See also http://forum.mailenable.com/viewtopic.php?t=1179

The point is that any piece of code that allows somebody to send data to it is vulnerable, whether it's a web server, mailserver, etc.

As long as the software minimizes the probles of overrflows, etc. then your risk will be reduced but not eliminated.

Just as abstinence is the safe way, so is disconnecting your machine from the internet... but neither choice is much fun, is it? :P

Kiliman

vnvjeep
Posts: 88
Joined: Tue Jun 25, 2002 3:01 pm
Location: Orlando, FL

Re: virus/worms... oy veyy...

Post by vnvjeep » Sat Mar 01, 2003 2:29 am

Kiliman...

Not sure if you read this, but like I just said in my previous post... "the worst thing it could do is some sort of DOS"... what do you think a buffer overflow does? In most cases it causes a DOS... in other cases, it grants access to the OS behind the scenes. Needless to say, over the years I have found that it is much less likely for a mailserver to be a source of intrusion than say a web/telnet/ftp/sql server... People are trying to do such fancy things with these servers as of late (well, except for telnet), that they just keep creating more & more security holes. Mail servers on the other hand are still using the same protocols and rules established many, many years ago. Most problems have already been worked out... many, many years ago. Trojans, or hackers for that matter, typically do not target a mail server as a source of entry.

You're welcome to disconnect from the web, but I feel quite comfortable out there.

Thanks,
Mike

denisbill
Posts: 1
Joined: Tue Oct 30, 2018 3:56 am

Re: antivirus program for mailenable

Post by denisbill » Tue Oct 30, 2018 4:00 am

It is very rare that you see a worm/trojan/virus attack port 25/110... The mail server on that port is expecting certain commands using the SMTP/POP protocols for mail to come and go. If anything, the mailserver would just blow this worm/trojan off in a heartbeat.

mik3ron
Posts: 5
Joined: Fri Mar 01, 2019 7:12 pm

Re: antivirus program for mailenable

Post by mik3ron » Wed Mar 06, 2019 5:38 pm

One other suggestion would be to "harden" the server. I know this can be done with Norton Endpoint security. There is a 'lock down' option that prevents new software from being installed unless allowed in the Norton enterprise manager. obviously, this can get tricky, so it just depends on how "secure" you want to be in respects to malicious code running on your system.

Also keep in mind, that with most AV, the mailbox folders\drives need to be excluded as this could cause performance issues.

The best option is to implement a UTM physical security device such as a fortigate firewall, that can do inspection before the packets even reach the server. These solutions are usually expensive to maintenance the support\maintenance contracts.

Post Reply