Virus Detection - Virus not being picked up by antivirus program


SUMMARY

If virus infected mail is not being detected by the anti-virus filter, please review the setup of the program using the corresponding knowledge base article for your particular vendor and review the troubleshooting guide below.

DETAIL

MailEnable allows the calling of a command line scanner. For each antivirus scanner the Mail Transfer Agent (MTA) works in the same way briefly as follows;

As a message is picked up from an inbound/outbound queue it is then moved/processed by the MTA.  At this level, each MIME boundary within the message is extracted out to its own file into the scratch directory with an ATT extension.  Each one of these files is then scanned by the command line scanner. If a virus is detected then a return code is passed to the MTA which in turn acts by executing action set within MTA antivirus options.  If no return code is passed or a code that does not match the code in MTA antivirus settings then the message file passes through and is delivered.

With an understanding of how the MTA and antivirus integration works, there are some checks to diagnose issues where virus files pass through the MTA and ultimately are found in mailboxes.

Resident antivirus

Running resident antivirus on a mail server can cause many problems due to the high number of files being moved around by the mail server and subsequently depending on the actions requiring access or blocking access to these files.  In regards to the antivirus, access to these files is required by the MTA and its plugins at all times while passing through the engine.  This is where the problem of resident scanners inhibit the MTA, while a message is being accessed by the MTA, the resident notices this file access and then does its job by locking the file and doing its own scan while doing this excluding all other programs from accessing the file.

Depending on when the file is locked and how long the scan takes, this will affect the MTA making the occurrences seem very ad hoc some results of this are below;
- some messages with viruses will pass through
- some will be detected as normal
- blank messages can be delivered to mailboxes
- Messages can appear to get lost in system (really the resident is quarantining or deleting the message)
- In rare circumstances the MTA can crash or messages can become corrupted.

Resolution

With all mail servers, the resident antivirus program should be turned off or disabled, it is best even to not install this feature during initial installation.  If it is still necessary to run the resident antivirus, then it is imperative to exclude the MailEnable folder structure, remembering to also exclude the scratch directory if this is outside the MailEnable directory.

Diagnose

The next step is to find out whether the MTA or the antivirus is causing the problems.

To do this, track down a message that contains a virus that has passed through the system and ended up into a mailbox.  To find a message that has passed through, may require turning off any client side resident scanners, as it requires an untouched MAI file to check (i.e. run the virus scanner over the Message File outside of the MTA). To do this, locate the message file in a mailbox (the path is usually as shown below and the Message File will have an extension of MAI).  It is possible to open the message in Notepad to view message contents. This will help to ensure you have the correct message for scanning;

C:\Program Files\Mail Enable\[Post Office Name]\Mail Root\[Mailbox Name]\Inbox

Once the correct MAI file that contains the virus has been located, copy the file into the directory on the server that contains the antivirus executable file. Some examples of our supported files are below;

F-Prot - Fpcmd.exe
Symantec - Vscand.exe
Mc Afee - Scan.exe
AVG - Avgscan.exe
Norman - Nvcc.exe
Panda - Pavcl.com
Sophos - Sav32cli.exe
Vet - Vet32.exe

Once the virus infected message is in the directory, run the executable over either the current directory or on the MAI file itself, using the command line arguments in the MTA antivirus properties section of the antivirus scanner.

If the virus is detected and a return code is given, ensure the return code matches the code in the MTA antivirus settings.  Try this routine on several viruses that get through where applicable.

If the virus is not detected on this command line scan outside of the MTA, then this means that the virus program itself is not detecting the message.

Resolution

If virus file not detected, then check that the signature files of the scanner are up to date. Most scanners will display the date age of each file within the results of the above scan.  If the sig. file is correct then contact the antivirus vendor for more information.

If the above test shows that the file is being detected within the command line, then possibly a setting in the MTA is incorrect or the MTA is not working correctly. 

The next step is to change the process threads of the MTA down to one for testing. This may be able to be increased later but there are issues with some antivirus scanners where the thread throughput does not allow multiple occurrences of itself running simultaneously.  Also, go into the options of the MTA antivirus properties and click the default button to ensure that all the default correct and tested settings are being used. Sometimes, between versions the command line settings change or the arguments are modified. Even new ones can be added - when his occurs the default settings need updating please notify MailEnable Support of this.

If the MTA logs do not give any indications of problems or issues and the rest of this article does not help then alert MailEnable support as to the issues that have been encountered.

Send through a detailed description of the problem and what has been tested.  Also, send through a copy of the MAI file that is not being detected by the scanner.  Check with MailEnable support as to what the best way is to send the file so that no antivirus cleaning occurs.  To instigate support on this matter please proceed to the MailEnable Support Submission Form.

Tracking Messages

Tracking a message through the server can sometimes give indications as to what has occurred so
check the logs SMTP and MTA and track the message through the Mail Enable system to ensure that the message has travelled through correctly and actually not been detected

See this article for help tracking messages through the MailEnable program:http://www.mailenable.com/kb/content/article.asp?ID=ME020252

MORE INFORMATION

How does antivirus filtering work and how to configure it?: http://www.mailenable.com/kb/content/article.asp?ID=ME020056

How to configure the antivirus plug-in?: http://www.mailenable.com/kb/content/article.asp?ID=ME020199

Which antivirus solution to use with MailEnable?: http://www.mailenable.com/kb/content/article.asp?ID=ME020144



Product:MailEnable (Pro-Any Pro-1.X Ent-Any Ent-1.X)
Article:ME020326
Module:MTA
Keywords:anti,virus,anti-virus,antivirus,resident,av,detection,scanning
Class:TRB: Troubleshooting (Configuration or Environment)
Revised:Wednesday, May 4, 2016
Author:
Publisher:MailEnable