Logout

Alt-N Discussion Groups > MDaemon Discussion Groups > MDaemon Anti-virus Plug-in > AV reporting in SMTP(in).log

 [F] Alt-N Discussion Groups  / MDaemon Discussion Groups  / MDaemon Anti-virus Plug-in  /

AV reporting in SMTP(in).log

I have the option checked to refuse to accept messages infected with
viruses. (Content Filter/AntiVirus)
In the SMTP-(in).log file, I get notifications when a message is rejected by
the AV as being infected, but the majority of the time (about 97% in the log
files I looked at), the message says "Message is infected with ???". Once
in a while, I do get a virus name like "Message is infected with
Trojan.Win32.Bayrob.kxz" but that's only once in a while. Is this
something that is happening because the antivirus is being run at SMTP time
and not later in the message processing?



  (older msg: 9)All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items

Shay Walters - Feb 10, 2016 2:34 pm (#10 Total: 10)  

 

Photo of Author
Shay Walters
Frequent
Frequent
Posts: 299
Probably so.   It's a fairly safe assumption if you have a DOC file that requires the user to "enable macros" and "enable editing" that it's probably malware, without knowing anything about the specific malware variant.   I've told all my users to never enable macros or editing in an attached file.  But the ones who listen to me aren't the ones I'm worried about, so I'm glad to see these getting filtered out.
 

Question marks are used when it doesnít know the name of the virus.  Iím not sure why it doesnít know the name, it could be because the messages are getting flagged for looking dangerous rather than an actual virus being found.

-- 

Arron Caruth
Director of Product Development
Alt-N Technologies
http://www.altn.com
 

Sent using Alt-N's own MDaemon Messaging Server   
Now available with  BYOD Mobile Device Management, 
Document Sharing, Hijacked Account Detection and more.

Get to know the Alt-N family by liking us on Facebook!

From: md-av-plugin@altn.com [mailto:md-av-plugin@altn.com] On Behalf Of Shay Walters
Sent: Wednesday, February 10, 2016 12:27 PM
To: md-av-plugin@altn.com
Subject: [md-av-plugin] AV reporting in SMTP(in).log

    No, it was many months ago when the Symantec E.P. got installed and removed.   I've only recently (last few weeks) begun noticing the "???" virus messages.  It's probably been there before, but only recently gotten frequent enough that I noticed it in the logs.

    Since my last message here, I've changed MDaemon's settings to not refuse a virus but accept it into the Quarantine folder.   So far, every one has been an email with a MS-Word .DOC attachment that comes up in Word saying it can't be viewed unless you enable editing and scripts.  (I don't, of course.)  I haven't yet found anything marked as a "???" virus that was legit, so even though it's not a specific virus name, the important thing is that it's catching the malware and keeping it out of the users' mailboxes.  I have saved the emails.  If it would be of any benefit for you, I can put them in a passworded ZIP file and send them to you.

Thanks for the suggestions,

-Shay

Hi Shay,

Did the problems start when Symantec was installed on the machine? 

Iím grasping at straws here, but have you tried reinstalling SecurityPlus to see if it corrects the issue?

-- 

Arron Caruth
Director of Product Development
Alt-N Technologies
http://www.altn.com
 

Sent using Alt-N's own MDaemon Messaging Server   
Now available with  BYOD Mobile Device Management, 
Document Sharing, Hijacked Account Detection and more.

Get to know the Alt-N family by liking us on Facebook!

From: md-av-plugin@altn.com [mailto:md-av-plugin@altn.com] On Behalf Of Shay Walters
Sent: Sunday, February 07, 2016 12:47 PM
To: md-av-plugin@altn.com
Subject: [md-av-plugin] AV reporting in SMTP(in).log

OK, thanks anyway.  Since it doesn't accept these messages, I don't have any way to make further offline diagnoses.  I'll look into trying to keep a copy in the bad messages folder or something that won't involve having it delivered to the user, so that I can scan them on another PC and see what shows up.   Based on where these messages are coming from (often eastern europe, asia, etc. or else US-based data-centers), I don't have any reason to think that they're legitimate emails.  If I turn up something worth mention, I'll reply back here.

Hi Shay,

Unless there's an executable from Symantec still running, it doesn't sound likely that it's interfering.

I'm sorry that I don't have an answer as to why you're getting more unidentified but detected viruses flagged than identified ones.

--
Leigh Cain

Quality Assurance Analyst

Sent using Alt-N's own MDaemon Messaging Server
Now available with BYOD Mobile Device Management,
Document Sharing, Hijacked Account Detection and more.

Get to know the Alt-N family by liking us on Facebook!

 

-----Original Message-----
From: Shay Walters <lists-md-anti-virus@altn.com>
To: <md-av-plugin@altn.com>
Date: Fri, 5 Feb 2016 11:56:58 -0500
Subject: [md-av-plugin] AV reporting in SMTP(in).log
 

    Our IT Folks installed Symantec Endpoint Protection on the mail server about 6 months ago, and I went through a many-hours-long ordeal of removing it.  It's entirely possible I missed something, but I got everything done that Symantec said should be done to remove their software.  Since this is happening at SMTP time, it doesn't seem like the file would be sitting around long enough for a third-party scanner to catch and delete it before Kaspersky gets it, but maybe there's still some hook in the system that wakes up a remnant of Symantec whenever a file gets created. 

    Thanks for the thoughts on the subject, though.

-Shay

Hi Shay,

That is fine, that does show you're using the latest version of SecurityPlus. For future reference, you can also check this in MDaemon by clicking on the menu Security | Antivirus, and click on AV Updater. It shows you the version and the Last update day there.

The only other thing I can think might be happening is if you have any third party Antivirus software installed that's not excluding the MDaemon directories, then it's possible it's detecting and cleaning the attachment at the same time and causing some sort of conflict between the two engines.

If that's not the case, then it may be that you are being targeted with newer variants of viruses rather than older, identified ones.

--
Leigh Cain

Quality Assurance Analyst

Sent using Alt-N's own MDaemon Messaging Server
Now available with BYOD Mobile Device Management,
Document Sharing, Hijacked Account Detection and more.

Get to know the Alt-N family by liking us on Facebook!

 

-----Original Message-----
From: Shay Walters <lists-md-anti-virus@altn.com>
To: <md-av-plugin@altn.com>
Date: Sat, 30 Jan 2016 08:54:41 -0500
Subject: [md-av-plugin] AV reporting in SMTP(in).log
 

 > Are you using the latest version of SecurityPlus?
 > Can you confirm that your AV signatures are up to date?

I get an "AV update" email every morning - here's the latest one I got:  (Or
are you looking for something other than that?)


=======================
From: postmaster@controlmanagement.com
To: postmaster@controlmanagement.com
Date: 01/30/2016 07:01
Subject: AV Update: Success - mail.controlmanagement.com - Sat 2016-01-30
07:01:04:

-------------------------------------------------------------------------
SecurityPlus for MDaemon has performed a virus signature update to better
protect your MDaemon mail system.
-------------------------------------------------------------------------
-----------------------------
Date/Time of AntiVirus update
-----------------------------
Sat 2016-01-30 07:01:03
-------------
Update result
-------------
Success
-----------------------
Virus engine statistics
-----------------------
Definition count:  6896333
Definition date:  1/30/2016
SecurityPlus version: 4.5.1


"Leigh Cain" <Leigh.Cain@altn.com> wrote in message
news:MDAEMON-F201601251555.AA5558155md50000008698@mail1.altn.com...
Hi Shay,

The "???" entry is returned when the Kaspersky engine thinks the message
contains a virus, but it doesn't match an exact known variant, so it has no
name to attach to it at that point.

I'm not sure about why you get a majority of infected messages returned as
"???" instead of just some. Are you using the latest version of
SecurityPlus? Can you confirm that your AV signatures are up to date?

--
Leigh Cain
Quality Assurance Analyst

Sent using Alt-N's own MDaemon Messaging Server
Now available with BYOD Mobile Device Management,
Document Sharing, Hijacked Account Detection and more.

Get to know the Alt-N family by liking us on Facebook!


-----Original Message-----
From: Shay Walters <lists-md-anti-virus@altn.com>
To: <md-av-plugin@altn.com>
Date: Mon, 25 Jan 2016 11:29:18 -0500
Subject: [md-av-plugin] AV reporting in SMTP(in).log

I have the option checked to refuse to accept messages infected with
viruses.  (Content Filter/AntiVirus)
In the SMTP-(in).log file, I get notifications when a message is rejected by
the AV as being infected, but the majority of the time (about 97% in the log
files I looked at), the message says "Message is infected with ???".   Once
in a while, I do get a virus name like "Message is infected with
Trojan.Win32.Bayrob.kxz" but that's only once in a while.   Is this
something that is happening because the antivirus is being run at SMTP time
and not later in the message processing?




------------------------------------------------------
View/reply at <http://lists.altn.com/WebX?13@@.59861a99>

--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to
md-av-plugin-unsubscribe@altn.com .
--POWERED BY MDAEMON!------------------------------------------------

---------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user
support and discussion.  Alt-N staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.altn.com/Support/RequestSupport/
---------------------------------------------------------------------

--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to
md-av-plugin-unsubscribe@altn.com .
--POWERED BY MDAEMON!------------------------------------------------

---------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user
support and discussion.  Alt-N staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.altn.com/Support/RequestSupport/
---------------------------------------------------------------------




------------------------------------------------------
View/reply at <http://lists.altn.com/WebX?13@@.59861a99/1>

--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to
md-av-plugin-unsubscribe@altn.com .
--POWERED BY MDAEMON!------------------------------------------------

---------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user
support and discussion.  Alt-N staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.altn.com/Support/RequestSupport/
---------------------------------------------------------------------

--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to
md-av-plugin-unsubscribe@altn.com .
--POWERED BY MDAEMON!------------------------------------------------
 
---------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user
support and discussion.  Alt-N staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.altn.com/Support/RequestSupport/
---------------------------------------------------------------------

 


View/reply at AV reporting in SMTP(in).log

 
---------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user 
support and discussion.  Alt-N staff members may participate in the 
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical 
support please use the form here:
http://www.altn.com/Support/RequestSupport/
---------------------------------------------------------------------
 
--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to
md-av-plugin-unsubscribe@altn.com .
--POWERED BY MDAEMON!------------------------------------------------
 
---------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user
support and discussion.  Alt-N staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.altn.com/Support/RequestSupport/
---------------------------------------------------------------------

View/reply at AV reporting in SMTP(in).log

 
 
--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to 
md-av-plugin-unsubscribe@altn.com .
--POWERED BY MDAEMON!------------------------------------------------
 
---------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user 
support and discussion.  Alt-N staff members may participate in the 
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical 
support please use the form here:
http://www.altn.com/Support/RequestSupport/
---------------------------------------------------------------------
 
--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to
md-av-plugin-unsubscribe@altn.com .
--POWERED BY MDAEMON!------------------------------------------------
 
---------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user
support and discussion.  Alt-N staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.altn.com/Support/RequestSupport/
---------------------------------------------------------------------


View/reply at AV reporting in SMTP(in).log

 
 
--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to 
md-av-plugin-unsubscribe@altn.com .
--POWERED BY MDAEMON!------------------------------------------------
 
---------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user 
support and discussion.  Alt-N staff members may participate in the 
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical 
support please use the form here:
http://www.altn.com/Support/RequestSupport/
---------------------------------------------------------------------
--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to
md-av-plugin-unsubscribe@altn.com .
--POWERED BY MDAEMON!------------------------------------------------

---------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user
support and discussion.  Alt-N staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.altn.com/Support/RequestSupport/
---------------------------------------------------------------------



  All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items



 Content:

Read New | Search

 Guest:

Email to Admin



You are visiting as a Guest user.