I am currently evaluating ME Enterprise for the ISP that I work for and although we have hit a few bumps we have managed to sort them out however the one big problem is the lack of active AV.
I am running Symantec AV via command line and find if I run the command line directly from DOS [vscand.exe] it will pick up virus laden files however when processing through ME they are missed or not cleaned/deleted or quarantined!
Using the MTA debug mode and prcoessing mail I get this:
C:\Documents and Settings\Administrator>memta -debug
Debugging MailEnable Mail Transfer Agent.
****************************************************************************
* *
* MailEnable Mail Transfer Agent (Version 1.0.02) *
* Copyright (C) Andrew Sproul, Peter Fregon 2001-2004. *
* *
****************************************************************************
Loaded 0 Filters
Bayesian Filter Loading Library..
Bayesian Filter - Loading Dictionary..
Bayesian Filter - Loading Complete.
Loading Dictionary...
Dictionary Load Status:
Time Taken: 219 milliseconds
Dictionary Size: 31666 tokens
Dictionary Loaded.
Antivirus Loading Library..
Reading settings for: LS
Reading settings for: POP
Reading settings for: SF
Reading settings for: SMTP
Allocating 0 Results
Processing Message...
Message Size detected as 1206
Processing Message Content...
From Found:From: "Ian Kearns" <user@**********.co.uk>
To Found:To: <user@*********.co.uk>
Mime Encapsulatation detected
Attachment Found: name="eicar.com"
Attachment Found: filename="eicar.com"
ProcessFilter:
Releasing 0 Results
So I know that ME has recognised the eicar.com attachment but has completely left it alone!
But if I use the command line to scan for the same file which contains the faux virus signature Symantec will find it and delete it:
+---------------------------------------------+
| Norton AntiVirus Corporate Edition |
| Copyright (C) Symantec Corporation 1999 |
| All rights reserved |
+---------------------------------------------+
Windows NT detected, disabling boot sector scan
Preparing to scan...
Using pattern file D:\NAV\VD1D7010.VDB
Scanning Memory......Memory Scan Complete.
3, "D:EICAR.COM"
Virus Found: EICAR Test String in D:EICAR.COM
(L)eave Alone, (D)elete -> Delete
File was deleted.
Total files scanned: 70
Folders scanned: 3
Total Viruses found: 1
Viruses cleaned: 0
Viruses deleted: 1
Total Time used: 00:00:07
I am using the following command string in ME
"[AGENT]" "[FILENAME]" /C /D /AZ /Z /DZ=3 /NB /NM
so why does ME ignore the virus laden email?
Symantec AV not working?
-
MailEnable-Ian
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Hi,
Looking at the debug output it seems that the MTA has not loaded any filters, ensure that you have created a virus filter.
Follow the instrcutuons below on how to succesfully create a virus filter:
1. Navigate to Servers>localhost>Filters and right click it. Tick the enable box to enable filtering.
2. Navigate to Servers>localhost>Filters>Mailenable Message Filter and highlight filters. In the right hand side list window you will see "Mailenable Antivirus Filter" double click it to open he Antivirus configuration window. Select the command line scanner to be used and test it to see if the configuration is correct.
3. Next navigate back up to Messaging Manager>Postoffices>Filters and right click on it and create a new filter.
4. Once you have created the new filter you will see it in the right hand side list window. Double click it to open he filter configuration window and add the criteria "Where the message contains a virus" and add the appropriate actions to occur if the message has a virus.
regards,
Looking at the debug output it seems that the MTA has not loaded any filters, ensure that you have created a virus filter.
Follow the instrcutuons below on how to succesfully create a virus filter:
1. Navigate to Servers>localhost>Filters and right click it. Tick the enable box to enable filtering.
2. Navigate to Servers>localhost>Filters>Mailenable Message Filter and highlight filters. In the right hand side list window you will see "Mailenable Antivirus Filter" double click it to open he Antivirus configuration window. Select the command line scanner to be used and test it to see if the configuration is correct.
3. Next navigate back up to Messaging Manager>Postoffices>Filters and right click on it and create a new filter.
4. Once you have created the new filter you will see it in the right hand side list window. Double click it to open he filter configuration window and add the criteria "Where the message contains a virus" and add the appropriate actions to occur if the message has a virus.
regards,
-
rfwilliams777
- Posts: 1370
- Joined: Thu Nov 11, 2004 5:26 pm
- Location: Kingsville, Texas
Norton AntiVirus 9.0 Enterprise
We have been using Norton AntiVirus 9.0 Enterprise on our servers. Despite the installation instructions mentioning for us to turn it off for run-time or real-time scanning, we have actually kept it on and just kept the antivirus scanning from Mail Enable off. So far the viruses have been stopped and killed and the Bad Mail folder is picking them up. So far, so good. 
http://www.covenantdata.com ... Where data becomes information!
http://www.covenantdata.com ... Where data becomes information!
Robert Williams, Owner
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!
-
rfwilliams777
- Posts: 1370
- Joined: Thu Nov 11, 2004 5:26 pm
- Location: Kingsville, Texas
We initially installed NAV 9.0 on our mail server and installed ME Enterprise 1.2 or 1.3. Since then we've upgraded both and no problems. Although the instructions say to disable the real-time scan, I keep it enabled and do not activate the scanner from Mail Enable. If you configure the NAV correctly, it'll scan for viruses just as well.
Robert Williams, Owner
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!
www.WilliamsWebSolutions.com
#1 in MailEnable Business-Class Email Hosting - Switch to Williams Web Solutions and we will migrate your accounts to us for FREE!
We can be hired to help you with your Mail Enable server, too!
Last time, I just let the real time protection on. When I do the diagnostic test, it say fail and will affect server performance.
Then I try to exclude scratch and queues folder but diagnostic test result still same. So, I totally disable real-time protection.
I'm thinking to upgrade the AV to symantec corporate edition v10.2. Hope it's working fine.
Then I try to exclude scratch and queues folder but diagnostic test result still same. So, I totally disable real-time protection.
I'm thinking to upgrade the AV to symantec corporate edition v10.2. Hope it's working fine.
-
MailEnable-Ben
- Posts: 5858
- Joined: Fri Jan 16, 2004 6:49 am
- Location: Melbourne
The suggestion and configuration of rfwilliams with Norton will work except it can cause duplicates and other file contention issues but this may only be noticable on high throughput servers.
Regards,
Product Services
MailEnable Pty Ltd
To keep track of all ME company updates and version releases you should subscribe to the MailEnable list at http://www.mailenable.com or the RSS feed http://www.mailenable.com/rss.
Product Services
MailEnable Pty Ltd
To keep track of all ME company updates and version releases you should subscribe to the MailEnable list at http://www.mailenable.com or the RSS feed http://www.mailenable.com/rss.
-
MailEnable-Ben
- Posts: 5858
- Joined: Fri Jan 16, 2004 6:49 am
- Location: Melbourne
Hi, I believe they have been outlined in this thread already but to explain further;
To install the Norton in the above unsupported manner you simply do not install Norton using the command line scanner as labelled in our documentation this is because the version 10 of Symantec does not contain a command line scanner.
The suggestion in this thread is that if you install Symantec as normal selecting to enable the resident shield scanner then this will scan all files as they are accessed by MailEnable services and if a virus is found then it is either quarantined or removed. Not sure if this will extract the files from the message and still deliver the message or simply remove the whole message from the queues maybe rfwilliams can confirm the action there?
To install the Norton in the above unsupported manner you simply do not install Norton using the command line scanner as labelled in our documentation this is because the version 10 of Symantec does not contain a command line scanner.
The suggestion in this thread is that if you install Symantec as normal selecting to enable the resident shield scanner then this will scan all files as they are accessed by MailEnable services and if a virus is found then it is either quarantined or removed. Not sure if this will extract the files from the message and still deliver the message or simply remove the whole message from the queues maybe rfwilliams can confirm the action there?
Regards,
Product Services
MailEnable Pty Ltd
To keep track of all ME company updates and version releases you should subscribe to the MailEnable list at http://www.mailenable.com or the RSS feed http://www.mailenable.com/rss.
Product Services
MailEnable Pty Ltd
To keep track of all ME company updates and version releases you should subscribe to the MailEnable list at http://www.mailenable.com or the RSS feed http://www.mailenable.com/rss.
