Logout

Alt-N Discussion Groups > MDaemon Discussion Groups > MDaemon Anti-virus Plug-in > "Clean" viruses?

[F] Alt-N Discussion Groups / MDaemon Discussion Groups / MDaemon Anti-virus Plug-in /

"Clean" viruses?

[Cramp, Edmund]
Edmund Cramp
Novice
Novice
Posts: 239

MDaemon
Outlook Connector
WebAdmin
Edmund Cramp - 12:58pm, Nov 24 2020

The message headers are:

X-SPScan-Result: infected
X-SPScan-VirusName: HTML/Agent.CN
X-MDBadQueue-Reason: WARNING! infected with virus (HTML/Agent.CN)
X-MDAV-Result: clean

My policy is to quarantine everything suspicious so it's not a problem but I'm seeing a few of these, in addition the daily virus statistics are not recording them - I guess probably because it's an infection attempt, not an actual virus in the message? I'm sending all of the messages to virusfn@mdaemon.com

  (older msg: 11)All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items

Edmund Cramp - Feb 24, 2022 8:03 am (#12 Total: 18)  

 

Photo of Author
Edmund Cramp
Novice
Novice
Posts: 239

MDaemon
Outlook Connector
WebAdmin
We just had two malware deliveries which arrived at 5:14am this morning, at 6:40am I checked the queue and verified them at VirusTotal which showed a lot of detections so I reported them both to MDaemon and Virus False Negative and they were both rejected. This made me check my Security Antivirus update logs, the most recent AV updates, ClamAV had been updated at 4:01am and is still saying that it's up-to-date. Cyren Anti-Virus was updated at 4:11am and all checks since then say "The last updater run was less than an hour ago. Scheduled update is skipped"

So if we are sent any more copies of these viruses then they will clearly sail through - this makes my wonder what anti-virus service mail service MDaemon is using...

Arron Caruth - Feb 24, 2022 9:35 am (#13 Total: 18)  

Guest User  

Photo of Author
Posts: 1
We are using Cyren AntiVirus and ClamAV, just like you.  As I have mentioned previously we are working with Cyren on implementing systems to allow viruses to be detected more quickly.  We are testing these systems on our servers. 

Based on what I'm seeing in the logs, this system is not what is enabling us to detect the files as malicious, I think it just comes down to timing.  Although the system would likely solve this issue for you as you wouldn't have to wait on the next update. 

Based on what I see, the server that received the inbound SMTP sessions from you installed an update at 5:41 AM and again at 6:41 AM.  Either of these updates could have included the definitions to detect the messages as malicious.

Our logs show the two inbound sessions that I believe are from you at 6:43:13 and 6:43:05.  

--
Arron Caruth
Vice President of Product Development
o: 817-601-3222    e: Arron.Caruth@mdaemon.com

MDaemon Technologies
Simple Secure Email

Visit us on www.mdaemon.com | Facebook | LinkedIn | YouTube
Sent using the MDaemon Email Server
On Thu, 24 Feb 2022 08:03:44 -0500, "lists-md-anti-virus@mdaemon.com (Edmund Cramp)" <lists-md-anti-virus@mdaemon.com> wrote:
We just had two malware deliveries which arrived at 5:14am this morning, at 6:40am I checked the queue and verified them at VirusTotal which showed a lot of detections so I reported them both to MDaemon and Virus False Negative and they were both rejected. This made me check my Security Antivirus update logs, the most recent AV updates, ClamAV had been updated at 4:01am and is still saying that it's up-to-date. Cyren Anti-Virus was updated at 4:11am and all checks since then say "The last updater run was less than an hour ago. Scheduled update is skipped"

So if we are sent any more copies of these viruses then they will clearly sail through - this makes my wonder what anti-virus service mail service MDaemon is using...

View/reply at "Clean" viruses?
--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to 
md-av-plugin-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!------------------------------------------------

---------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user 
support and discussion.  MDaemon staff members may participate in the 
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical 
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
---------------------------------------------------------------------


--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to
md-av-plugin-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!------------------------------------------------

---------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user
support and discussion.  MDaemon staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
---------------------------------------------------------------------

Replies to this message
  • Edmund Cramp (Feb 24, 2022 2:54 pm)


    • Edmund Cramp - Feb 24, 2022 2:54 pm (#14 Total: 18)  

     

    Photo of Author
    Edmund Cramp
    Novice
    Novice
    Posts: 239

    MDaemon
    Outlook Connector
    WebAdmin
    Replying to: Arron Caruth (Feb 24, 2022 9:35 am)
    We are using Cyren AntiVirus and ClamAV, just like you.&nbsp; As I have mentioned previously we are working with Cyren...

    Yes, those sessions would have been mine - I'm not complaining about this, just letting you know what's happening. This is just a thought ... would it be better to accept and delete all detected viruses? Effectively, thinking like a hacker, I see "Viruses refused" as providing feedback to the malware authors that they need to update their malware whereas if we were just accepting the viruses and deleting them, then the malware might not get updated so often?
    I'll try reconfiguring MD to do this.

    Edmund Cramp - Apr 6, 2022 7:50 am (#15 Total: 18)  

     

    Photo of Author
    Edmund Cramp
    Novice
    Novice
    Posts: 239

    MDaemon
    Outlook Connector
    WebAdmin
    This is just an idea, MD can scan all the mailboxes everyday and occasionally finds infections in users spam folders, but I'm quarantining virtually all messages with attachments that I see as potential infections ... e.g. *.gz, *.zip, *.bat, *.exe etc., and then I check suspicious messages by uploading them to VirusTotal after reviewing the headers.
    It might be a useful option for the future to add the option to do an AV scan of quarantine folder contents every hour.




      (newer msg:3)All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items


     Content:

    Read New | Search

     Guest:

    Email to Admin

    You are visiting as a Guest user.