What happend to ClamWin?

Discussion, support and announcements for third party applications that work with MailEnable.
zeusdk
Posts: 99
Joined: Thu Dec 09, 2004 7:09 pm

What happend to ClamWin?

Post by zeusdk »

Hi all

About 3 month ago, I installed ClamWin, which deleted 100% of all the virus e-mails. For about 2 days ago, I upgraded to the latest version and saw how it felt from 100% to about 50-75%.

Hey, I just upgraded - nothing else. In addition, the auto-updater is working fine.

Does anyone else have had the same experience?

MartynK
Posts: 1376
Joined: Sat Dec 28, 2002 1:12 am
Location: Hong Kong

Post by MartynK »

I am been using it now for ages and I (touch wood) have not had any major issues.

The only thing I will say is that I have set my max MTA threads to two (2)

zeusdk
Posts: 99
Joined: Thu Dec 09, 2004 7:09 pm

Post by zeusdk »

It is down to only one thread.

globalmcs also seems to have the same problem:
http://forum.mailenable.com/viewtopic.p ... c&start=45

zeusdk
Posts: 99
Joined: Thu Dec 09, 2004 7:09 pm

Post by zeusdk »

I have done a lot of testing and it seems to be the filter "where a virus is found" that is actually not deleting the messages, as it is set to do, be course my 3 anti-virus scanners - eTrust, ClaimWin and F-prot - are reporting the viruses correctly.

Still 30% of all test viruses from http://www.webmail.us/testvirus get through to my own pc.
Last edited by zeusdk on Wed Mar 02, 2005 4:50 pm, edited 1 time in total.

MartynK
Posts: 1376
Joined: Sat Dec 28, 2002 1:12 am
Location: Hong Kong

Post by MartynK »

What do you mean by ?
it seems to be the filter "where a virus is found"
I have just run the tests with the following:

1. ClamWin
2. F-Prot
3. McAfee 8.0

The only tests that failed are #5 ,#17, #19, #23, #24, #25

From memory, these are the same that have been getting through for ages. I think it may be something to do with the way that ME strips the various parts of the email before scanning by the AV engine. I am going on this on the basis that if I turn on normal "On Access" scanning on my server (using McAfee) it find every one as they are written to the disk.

zeusdk
Posts: 99
Joined: Thu Dec 09, 2004 7:09 pm

Post by zeusdk »

For about 3 month ago, I did the test and ClamWin took 100%. Other people also did the test and said that it took 100%. Anyway... that is history now... back to the filter.

How is multi-layer virus scanning working?

If a virus scanner finds a virus, does it?

a) Send it directly to the filter (which for example deletes the virus) or
b) does it pass it on to the next virus scanner?

Furthermore is it the best way to let the filter do the deleting or to do the deleting “on the scene” (and no reporting to the filter)?

Here are my settings - are they correct (only reporting to the filter)?

eTrust:
"[AGENT]" "[FILENAME]" /q

ClamWin:
"[AGENT]" "[FILENAME]" --database="C:\Program Files\ClamWin\db" --tempdir="C:\Program Files\Mail Enable\Scratch"

F-prot:
"[AGENT]" "[FILENAME]" /ARCHIVE=n /NOBOOT /NOMEM /AI /OLD /PACKED

All 3 scanners are set on: "Return code will be checked against this list" and: "Match a return code".
Last edited by zeusdk on Fri Feb 18, 2005 12:27 pm, edited 1 time in total.

MartynK
Posts: 1376
Joined: Sat Dec 28, 2002 1:12 am
Location: Hong Kong

Post by MartynK »

As far as I know, the first scanner that finds a virus will either delete the file or report it via a return code. The ME MTA will then not process that part of the email using the following AV scanner (if one exists).

On that basis, if the first scanner does not get it, hopefully a following one will, but as I said in my previous post, that is down to the actual splitting of the email parts which are then passed to the scanner.

As for which way to config this, I have my system use the return codes and then let ME do the remove and delete. That way one thing (the ME MTA) is controlling the process and "should" not have to worry about files going missing because of the AV scanner.

Must admit, I have never had a issue when using this method and I am more than impressed with the whole AV Scanning process in ME compared to the high costs of implementing in other filters.

zeusdk
Posts: 99
Joined: Thu Dec 09, 2004 7:09 pm

Post by zeusdk »

Thanks :-)

Ran the test again and got the same result as you: 5, 17, 19, 20, 23, 24, 25 went through.

Would another scanner get a better result?

MartynK
Posts: 1376
Joined: Sat Dec 28, 2002 1:12 am
Location: Hong Kong

Post by MartynK »

As I said in the previous email, I don't think it is the scanner.

If I scan the emails manually, all of the viruses are found, so it must be something with the MTA.

I have logged a support call with ME this evening, so we can see what happens.

zeusdk
Posts: 99
Joined: Thu Dec 09, 2004 7:09 pm

Post by zeusdk »

Looking very much forward to hearing the result of the support call :-)

OwenD
Posts: 39
Joined: Wed Sep 22, 2004 7:33 am
Location: Gladstone - Australia

Post by OwenD »

zeusdk wrote:Thanks :-)

Ran the test again and got the same result as you: 5, 17, 19, 20, 23, 24, 25 went through.

Would another scanner get a better result?
You should remember that tests 24 & 25 do not include viral code.
These are a vulnerability test which is not the place of an AV tool designed specifically to run on a mail server to detect.
There has been a fair bit of discussion about this on the Clamav mailing list and the consensus is that trying to detect such things as these, phishing attempts etc are not within the primary goal of Clamav (on which Clamwin is built).

I use Clamav for windows rather than ClamWin and on the same tests it;
detects test 5
missed test 17
detects test 19
warned of the missing mime boundary in 23
missed 24 & 25 (see above)

I personally run ASSP for spam filtering and have it set to reject executable attachments. With this in place you can easily add a regular expression to detect the CSLID attachment (#25)
One could similarly eliminate test 17 (Carriage Return Vulnerability) I suppose. A quick look at http://www.securitytracker.com/alerts/2 ... 03546.html
will show you how the vulnerability works.

A better answer is of course to run multiple AV engines. The same test (#17) sent to my work email is detected by McAffee and as I have shown, even two products based on the same code can give different results.

The other factor is that I run a custom written pickup event to call clamav so my results are not 100% relevent to yours due to the fact that my pickup event decides what to do with the message, not ME.

cheers :D

Owen

MartynK
Posts: 1376
Joined: Sat Dec 28, 2002 1:12 am
Location: Hong Kong

Post by MartynK »

Well I am running multiple AV scanners and they all fail on the same test.

What is it that your running in your pickup event that is so different ?

Guest

Post by Guest »

MartynK wrote:Well I am running multiple AV scanners and they all fail on the same test.

What is it that your running in your pickup event that is so different ?
I doubt it's anything in my pickup event, but rather as you have said something to do with how ME handles the files in the AV process.
I can't shed any light on exactly what it is because I'm running ME standard, not Pro or Ent as you (both) are.

All my pickup event does is pass the message to clamscan.exe and delete the attachment(s) if required. It also does some other custom stuff that's not related to AV, but I find usefull.

In effect every message is being scanned manually and as you have said if you do this (a manual scan) the viral code is found, this would add credence to your earlier post.
Did Clamwin identify all of the tests when done manually, or was it one of your other AV agents?

What parameters do you pass to clamwin?
I had a bad time a while back with dozens of variations of Netsky getting through. It turned out I had to use the --mbox parameter to stop them.
Are you calling clamscan.exe or using the clamdscan daemon?

It's been a while since I tried Clamwin so I can't remember what subtle differences there are to ClamAv.

cheers,

Owen

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg »

As far as Clam not catching the viruses it did before, has the order in which the AV Agents run changed? This can be found in the registry at

Code: Select all

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters]
"Processing Order"="MEAVCLM,MEAVFPI,MEAVGRI,MEAVMAC,MEAVNAV,MEAVNOR,MEAVPAN,MEAVSOP,MTAFILTER"

zeusdk
Posts: 99
Joined: Thu Dec 09, 2004 7:09 pm

Post by zeusdk »

Should the order matter? And why? Anyway, I thought that something was wrong with ClamWin (it is freeware you know), so I added 2 more AV’s but it did not improve anything.

Something must be wrong some place! :)

My settings are:

Code: Select all

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVCmd.exe
"[AGENT]" "[FILENAME]" /q
Return code will be checked against this list
32
Match a return code

C:\Program Files\ClamWin\bin\clamscan.exe
Files\ClamWin\db" --tempdir="C:\Program Files\Mail Enable\Scratch" --mbox
Return code will be checked against this list
1
Match a return code

C:\Program Files\FSI\F-Prot\fpcmd.exe
"[AGENT]" "[FILENAME]" /ARCHIVE=n /NOBOOT /NOMEM /AI /OLD /PACKED
Return code will be checked against this list
3 8
Match a return code
Order:

Code: Select all

MEAVCA,MEAVCLM,MEAVFPI,MEAVGRI,MEAVMAC,MEAVNAV,MEAVNOR,MEAVPAN,MEAVSOP,MTAFILTER
Last edited by zeusdk on Wed Mar 02, 2005 4:53 pm, edited 1 time in total.

Post Reply