Use Mailenable 10.32 with Microsoft Defender on Windows Server 2019 as CMD AV Scanner

Discussion forum for Enterprise Edition.
Post Reply
rbrilla
Posts: 2
Joined: Mon Nov 11, 2019 2:03 pm

Use Mailenable 10.32 with Microsoft Defender on Windows Server 2019 as CMD AV Scanner

Post by rbrilla »

ToDo for using onboard Microsoft Defender on Windows Server 2019 with Mailenable 10.32
I think it works also an Windows 2016.

Main reason for me was to replace f-port Scan in Mailenable, because it shuts down in April 2021.

First, disable other Antivirus than Microsoft Defender and remove/deinstall old Stuff (f-prot)

Main Problem for not using defender directly is that MS errorlevel returncodes are 0 (nothing found) oder 2 (virus found OR program error). So you have to use a batchfile (CMD) instead with "find" command.

so, here is the batchfile.

---cut Scanvir.cmd
@echo off
rem Ralph Brilla 20.02.2021
rem Infos sind aus diversen Artikeln im Internet
rem Return code is
rem 0 if no malware is found or malware is successfully remediated and no additional user action is required
rem 2 if malware is found and not remediated or additional user action is required to complete remediation or there is error in scanning. Please check History for more information.
rem Depending on the version, mpcmdrun.exe could be found in a couple of different locations.
rem %ProgramFiles%\Microsoft Security Client\Antimalware\
rem %ProgramFiles%\Microsoft Security Essentials\
rem %ProgramFiles%\Windows Defender\ Windows 10 (Build 2004)
"%ProgramFiles%\Windows Defender\mpcmdrun.exe" -scan -scantype 3 -file %1 -disableremediation >c:\Scripte\Virusscan\scanlog.txt
find /c "LIST OF DETECTED THREATS" c:\Scripte\Virusscan\scanlog.txt
IF ERRORLEVEL 2 GOTO Label2
IF ERRORLEVEL 1 GOTO Label1
ECHO 0 THREAT/Virus found
EXIT /b 1
GOTO ENDE
:Label2
ECHO 2
EXIT /b 2
GOTO ENDE
:Label1
ECHO 1 Nothing found
EXIT /b 0
:ENDE
---cut

Save it as Scanvir.cmd in folder "C:\Scripte\Virusscan"

Now you need to disable the Realtime Scan on a few folders (ie. MailEnable, Tempfolders, Scanfolder..)

Start a powershell with adminrights. Disable Realtime Scan for Mail Enable, Virusscan Scriptfolder and Temp Folder (used for expanding zip/rar):
Use this commands
Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Mail Enable"
Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Mail Enable\Scratch"
Add-MpPreference -ExclusionPath "C:\Scripte\Virusscan"
Add-MpPreference -ExclusionPath "C:\Windows\Temp"

you can check the settings with this command: Get-MpPreference

We can go on to confire MailEnable

Now you need to enable the MailEnable Antivirus Filter
You can find it under MailEnable Management/Server/Extensions/Message Filter

For scanning with Defender i used the filter from Sophos. (Creating my own Scanfilter with .reg file doesn´t work :shock:)
Activate "Enable selected anti-virus"
Now click Options

Program path: C:\Windows\System32\cmd.exe
Command line arguments: "[AGENT]" /C C:\Scripte\Virusscan\Scanvir.cmd "[FILENAME]"
click Detection method: Return code will be checked against this list
Use "1" as Return code
Return code check: Match a return code

click "ok"

Enable Activity Log if you wish
Enable Bypass antivirus scan on authenticard sender if you wish

click Ok

Now restart the MTA
Go back an klick Test settings. Now you should see a windows with AV test Results. Message should be "0 THREAT/Virus found" Command line scanner returned 1

You can now start to create a filter for moving to quarratine or to move to junk-folder
I preferred to move it to junk, because the attachment is removed via virusscan.

The filter is configured under Mailenable Management/Messaging Manager/Filter
i have included a screenshot from my filter


Last of all.
Test it. you can find many testsites where you can send eicar testfiles via your mailserver.
I used heise security to send eicar testfiles with zip/rar.

hope this helps a little, because there a not many cmd virusscanner today you can use.

Greetings from germany

Ralph
Attachments
Virusscan_Options_Screenshot.PNG
Virusscan_Options_Screenshot.PNG (50.23 KiB) Viewed 9835 times
Messagefilter_Virusscan_move_to_Junk.PNG
Messagefilter_Virusscan_move_to_Junk.PNG (59.16 KiB) Viewed 9835 times

cfdynamics
Posts: 154
Joined: Mon May 24, 2010 2:27 pm

Re: Use Mailenable 10.32 with Microsoft Defender on Windows Server 2019 as CMD AV Scanner

Post by cfdynamics »

RBrilla,

Thank you for this post. It works great
Kent Runyan
CFDynamics.com
Providing World Class Hosting Solutions for over two decades.

Post Reply