Logout

Alt-N Discussion Groups > MDaemon Discussion Groups > MDaemon Anti-virus Plug-in > "Clean" viruses?

 [F] Alt-N Discussion Groups  / MDaemon Discussion Groups  / MDaemon Anti-virus Plug-in  /

"Clean" viruses?

[Cramp, Edmund]
Edmund Cramp
Novice
Novice
Posts: 239

MDaemon
Outlook Connector
WebAdmin
Edmund Cramp - 12:58pm, Nov 24 2020

The message headers are:

X-SPScan-Result: infected
X-SPScan-VirusName: HTML/Agent.CN
X-MDBadQueue-Reason: WARNING! infected with virus (HTML/Agent.CN)
X-MDAV-Result: clean

My policy is to quarantine everything suspicious so it's not a problem but I'm seeing a few of these, in addition the daily virus statistics are not recording them - I guess probably because it's an infection attempt, not an actual virus in the message? I'm sending all of the messages to virusfn@mdaemon.com

  (older msg: 16)All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items

Edmund Cramp - Apr 6, 2022 8:38 am (#17 Total: 18)  

 

Photo of Author
Edmund Cramp
Novice
Novice
Posts: 239

MDaemon
Outlook Connector
WebAdmin
The only "end goal" for us is to avoid infections.
I expect that scanning the quarantined message that MD has not detected via VirusTotal is updating the AV vendors. I also send them to MD via the quarantine reporting option but a lot of time the messages are rejected - I see that as a good thing but since the quarantine queue hasn't been scanned it's a little work for me.
When VirusTotal says it's a malicious message then I delete it. Clean quarantined messages are reviewed but that's very rare to find a clean quarantine.
I just see a repeated scan of the quarantine queue as relatively low processing cost but making the AV a little more efficient - this is just an idea, I'm only a mail-server user ... any happily confident using MD, it's stopping malware all the time every day.

Arron Caruth - Apr 6, 2022 8:56 am (#18 Total: 18)  

Guest User  

Photo of Author
Posts: 1
>I expect that scanning the quarantined message that MD has not detected via VirusTotal is updating the AV vendors.

I've heard rumors that VirusTotal does send information to AV vendors, but I've not been able to get Cyren to confirm that.  And the most important thing, in my opinion, is how timely the information is.  If VirusTotal only sends information to AV vendors once a week, it is far less valuable than real-time information.

>I just see a repeated scan of the quarantine queue as relatively low processing cost but making the AV a little more efficient

It could also be very resource-intensive. Not all email Administrators maintain the quarantine queue, so the quarantine could have thousands and thousands of messages sitting in it.  

You could automate a portion of the process.  For example, you could have a powershell script attempt to report the messages to us as misclassifications.  If we reject the message as infected, then you know its already been addressed and the message could be deleted.  You could use powershell to check virus total and take action based on the results.  

I'm not completely opposed to scanning the quarantine on an interval, we just can't have it be a burden on the system.  And in order for it to be helpful and not a burden, the quarantine needs to be managed. 

Actually, if you are willing to burn an email user account, you could probably have the quarantine scanned on the same interval as the mailbox scanning occurs, but that might not be frequent enough.

--
Arron Caruth
Vice President of Product Development
o: 817-601-3222    e: Arron.Caruth@mdaemon.com

MDaemon Technologies
Simple Secure Email

Visit us on www.mdaemon.com | Facebook | LinkedIn | YouTube
Sent using the MDaemon Email Server

On Wed, 6 Apr 2022 08:38:31 -0500, "lists-md-anti-virus@mdaemon.com (Edmund Cramp)" <lists-md-anti-virus@mdaemon.com> wrote:
The only "end goal" for us is to avoid infections.
I expect that scanning the quarantined message that MD has not detected via VirusTotal is updating the AV vendors. I also send them to MD via the quarantine reporting option but a lot of time the messages are rejected - I see that as a good thing but since the quarantine queue hasn't been scanned it's a little work for me.
When VirusTotal says it's a malicious message then I delete it. Clean quarantined messages are reviewed but that's very rare to find a clean quarantine.
I just see a repeated scan of the quarantine queue as relatively low processing cost but making the AV a little more efficient - this is just an idea, I'm only a mail-server user ... any happily confident using MD, it's stopping malware all the time every day.


View/reply at "Clean" viruses?
--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to 
md-av-plugin-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!------------------------------------------------

---------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user 
support and discussion.  MDaemon staff members may participate in the 
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical 
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
---------------------------------------------------------------------

--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to
md-av-plugin-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!------------------------------------------------

---------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user
support and discussion.  MDaemon staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
---------------------------------------------------------------------



  All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items



 Content:

Read New | Search

 Guest:

Email to Admin



You are visiting as a Guest user.