SUMMARY
If virus infected mail is not being detected by the anti-virus filter, please review the setup of the program using the corresponding knowledge base article for your particular vendor and review the troubleshooting guide below.
DETAIL
MailEnable allows the calling of a command line scanner. For each antivirus scanner
the Mail Transfer Agent (MTA) works in the same way briefly as follows;
As a message is picked up from an inbound/outbound queue it
is then moved/processed by the MTA. At this level, each MIME boundary
within the message is extracted out to its own file into the scratch
directory with an ATT extension. Each one of these files is then
scanned by the command line scanner. If a virus is detected then a return code
is passed to the MTA which in turn acts by executing action set within MTA antivirus options. If no return code is passed or
a code that does not match the code in MTA antivirus settings then the message file
passes through and is delivered.
With an understanding of how the MTA and antivirus integration works, there are some checks to diagnose issues where virus files pass through the MTA and ultimately are found in mailboxes.
Resident antivirus
Running resident antivirus on a mail server can cause many problems due to the high number of files being moved around by the mail server and subsequently depending on the actions requiring access or blocking access to these files. In regards to the antivirus, access to these files is required by the MTA and its plugins at all times while passing through the engine. This is where the problem of resident scanners inhibit the MTA, while a message is being accessed by the MTA, the resident notices this file access and then does its job by locking the file and doing its own scan while doing this excluding all other programs from accessing the file.
Depending on when the file
is locked and how long the scan takes, this will affect the MTA making
the occurrences seem very ad hoc some results of this are below;
- some
messages with viruses will pass through
- some will be detected as
normal
- blank messages can be delivered to mailboxes
- Messages can
appear to get lost in system (really the resident is quarantining or deleting
the message)
- In rare circumstances the MTA can crash or messages can become
corrupted.
Resolution
With all mail servers, the
resident antivirus program should be turned off or disabled, it is best even to not install
this feature during initial installation. If it is still necessary to run the resident antivirus, then it is imperative to
exclude the MailEnable folder structure, remembering to also exclude the scratch directory if this is
outside the MailEnable directory.
Diagnose
The next step is to find out whether the MTA or the antivirus is causing the problems.
To do this, track down a message
that contains a virus that has passed through the system and ended up into a mailbox.
To find a message that has passed through, may require turning off any client side
resident scanners, as it requires an untouched MAI file to check (i.e. run the virus scanner over the Message File outside of the
MTA). To do this, locate the message file in a mailbox (the path is usually as shown below and the
Message File will have an extension of MAI). It is possible to open the message in
Notepad to view message contents. This will help to ensure you have the correct
message for scanning;
C:\Program Files\Mail Enable\[Post Office
Name]\Mail Root\[Mailbox Name]\Inbox
Once the
correct MAI file that contains the virus has been located, copy the file into the directory on
the server that contains the antivirus executable file. Some examples of our
supported files are below;
F-Prot - Fpcmd.exe
Symantec -
Vscand.exe
Mc Afee - Scan.exe
AVG - Avgscan.exe
Norman -
Nvcc.exe
Panda - Pavcl.com
Sophos - Sav32cli.exe
Vet -
Vet32.exe
Once the virus
infected message is in the directory, run the executable over either the current directory
or on the MAI file itself, using the command line arguments in
the MTA antivirus properties section of the antivirus scanner.
If the
virus is detected and a return code is given, ensure the return
code matches the code in the MTA antivirus settings. Try this routine on several viruses
that get through where applicable.
If the virus is not detected on
this command line scan outside of the MTA, then this means that the virus
program itself is not detecting the message.
Resolution
If
virus file not detected, then check that the
signature files of the scanner are up to date. Most scanners will display the date
age of each file within the results of the above scan. If the sig. file
is correct then contact the antivirus vendor for more information.
If the above test shows that the file is being detected
within the command line, then possibly a setting in the MTA is incorrect or the
MTA is not working correctly.
The
next step is to change the process threads of the MTA down to one for testing.
This may be able to be increased later but there are issues with some antivirus scanners where the
thread throughput does not allow multiple occurrences of itself
running simultaneously. Also, go into the options of the MTA antivirus properties
and click the default button to ensure that all the default correct and
tested settings are being used. Sometimes, between versions the command
line settings change or the arguments are modified. Even new ones can be added
- when his occurs the default settings need updating please notify MailEnable Support
of this.
If the MTA logs do not give any indications of
problems or issues and the rest of this article does not help then alert
MailEnable support as to the issues that have been
encountered.
Send through a detailed description of the problem and what has been tested. Also, send through a copy of the MAI file that is not being detected by the scanner. Check with MailEnable support as to what the best way is to send the file so that no antivirus cleaning occurs. To instigate support on this matter please proceed to the MailEnable Support Submission Form.
Tracking Messages
Tracking a message through the server can sometimes give indications as
to what has occurred so
check the logs SMTP
and MTA and track the message through the Mail Enable system to ensure that
the message has travelled through correctly and actually not been
detected
See this article for help tracking messages through the MailEnable program:http://www.mailenable.com/kb/content/article.asp?ID=ME020252
MORE INFORMATION
How does antivirus filtering work and how to configure it?: http://www.mailenable.com/kb/content/article.asp?ID=ME020056
How to configure the antivirus plug-in?: http://www.mailenable.com/kb/content/article.asp?ID=ME020199
Which antivirus solution to use with MailEnable?: http://www.mailenable.com/kb/content/article.asp?ID=ME020144
Product: | MailEnable (Pro-Any Pro-1.X Ent-Any Ent-1.X) |
Article: | ME020326 |
Module: | MTA |
Keywords: | anti,virus,anti-virus,antivirus,resident,av,detection,scanning |
Class: | TRB: Troubleshooting (Configuration or Environment) |
Revised: | Wednesday, May 4, 2016 |
Author: | MailEnable |
Publisher: | MailEnable |