Logout

Alt-N Discussion Groups > MDaemon Discussion Groups > MDaemon Support > Archive > More attachments in quarantine

 [F] Alt-N Discussion Groups  / MDaemon Discussion Groups  / MDaemon Support  / Archive  /

More attachments in quarantine

[Goedhart, Benno]
Benno Goedhart
Guru
Guru
Posts: 1120
Benno Goedhart - 04:41am, Mar 3 2017

Hi,

Recently more attachments are going into the quarantine queue. Most of them are .docx, .zip or .7z files. Why are they
being held? Is it because they are password protected? What can I do to prevent these attachments from going to the
quarantine queue?

Is it wise to add these extensions to the exclusion list of password protected files?

Some examples;

----------------------------------------------------------------------
Attachment Virus name Action taken
----------------------------------------------------------------------
m87va06e.docx; NOT_SCANNED Message Quarantined


and;

X-CAV-Result: encrypted
X-CAV-VirusName: Heuristics.Encrypted.7Zip


--
With kind regards,

Benno Goedhart

Internet Unie Services B.V.
Lemelerbergweg 28 • 1101 AH Amsterdam • +31(0)20-4630506 • www.iu.nl



--MD-SUPPORT--------------------------------------------------------------
This list is for questions and discussion about MDAEMON. To unsubscribe
from this mailing list send an email to md-support-unsubscribe@altn.com .
--POWERED BY MDAEMON!-----------------------------------------------------

--------------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user
support and discussion. Alt-N staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.altn.com/Support/RequestSupport/
--------------------------------------------------------------------------




  All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items

Arron Caruth (apparently) - Mar 3, 2017 8:51 am (#1 Total: 9)  

via email  

Photo of Author
Arron Caruth
Administrator
Administrator
Posts: 1708
The first example doesn't provide sufficient information to know why, however, I would be suspicious of a Word document with a file name of m87va06e.docx. This is not normally how people name word documents. If you still have this message the X-MDAV and X-CAV headers will provide more information about why.

The second example is because of ClamAV. By default we have ClamAV configured to blocked Encrypted files. These files cannot be scanned so to be safe we quarantine them. If you'd like to change the behavior you can edit the clamd.conf file in the MDaemon\SecurityPlus\ClamAVPlugin\Conf directory and change " ArchiveBlockEncrypted yes" to "ArchiveBlockEncrypted no". Save the file and restart ClamAV.

-- 
Arron Caruth
Director of Product Development
Alt-N Technologies
http://www.altn.com
 
Sent using Alt-N's own MDaemon Messaging Server   
Now available with  BYOD Mobile Device Management, 
Document Sharing, Hijacked Account Detection and more.
Get to know the Alt-N family by liking us on Facebook!


-----Original Message-----
From: md-support@altn.com [mailto:md-support@altn.com] On Behalf Of Benno Goedhart
Sent: Friday, March 03, 2017 3:42 AM
To: md-support@altn.com
Subject: [md-support] More attachments in quarantine

Hi,

Recently more attachments are going into the quarantine queue. Most of them are .docx, .zip or .7z files. Why are they being held? Is it because they are password protected? What can I do to prevent these attachments from going to the quarantine queue?

Is it wise to add these extensions to the exclusion list of password protected files?

Some examples;

----------------------------------------------------------------------
Attachment Virus name Action taken
----------------------------------------------------------------------
m87va06e.docx; NOT_SCANNED Message Quarantined


and;

X-CAV-Result: encrypted
X-CAV-VirusName: Heuristics.Encrypted.7Zip


--
With kind regards,

Benno Goedhart

Internet Unie Services B.V.
Lemelerbergweg 28 • 1101 AH Amsterdam • +31(0)20-4630506 • www.iu.nl



--MD-SUPPORT--------------------------------------------------------------
This list is for questions and discussion about MDAEMON. To unsubscribe from this mailing list send an email to md-support-unsubscribe@altn.com .
--POWERED BY MDAEMON!-----------------------------------------------------

--------------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user support and discussion. Alt-N staff members may participate in the forums periodically but please recognize that this is not the official method of receiving technical support. To receive personal technical support please use the form here:
http://www.altn.com/Support/RequestSupport/
--------------------------------------------------------------------------

--MD-SUPPORT--------------------------------------------------------------
This list is for questions and discussion about MDAEMON. To unsubscribe
from this mailing list send an email to md-support-unsubscribe@altn.com .
--POWERED BY MDAEMON!-----------------------------------------------------

--------------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user
support and discussion. Alt-N staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.altn.com/Support/RequestSupport/
--------------------------------------------------------------------------




Benno Goedhart (apparently) - Mar 3, 2017 9:03 am (#2 Total: 9)  

via email  

Photo of Author
Benno Goedhart
Guru
Guru
Posts: 1120
Hi Arron,

I'll try the settings for ClamAV in a minute. The extra headers for the .docx attachment are;

X-MDAV-Result: infected
X-MDAV-Infected: m87va06e.docx

X-CAV-Result: clean

So that is not really helpful I guess.


On 3-3-2017 14:51, Arron Caruth wrote:
> The first example doesn't provide sufficient information to know why, however, I would be suspicious of a Word document with a file name of m87va06e.docx. This is not normally how people name word documents. If you still have this message the X-MDAV and X-CAV headers will provide more information about why.
>
> The second example is because of ClamAV. By default we have ClamAV configured to blocked Encrypted files. These files cannot be scanned so to be safe we quarantine them. If you'd like to change the behavior you can edit the clamd.conf file in the MDaemon\SecurityPlus\ClamAVPlugin\Conf directory and change " ArchiveBlockEncrypted yes" to "ArchiveBlockEncrypted no". Save the file and restart ClamAV.



--
With kind regards,

Benno Goedhart

Internet Unie Services B.V.
Lemelerbergweg 28 • 1101 AH Amsterdam • +31(0)20-4630506 • www.iu.nl



--MD-SUPPORT--------------------------------------------------------------
This list is for questions and discussion about MDAEMON. To unsubscribe
from this mailing list send an email to md-support-unsubscribe@altn.com .
--POWERED BY MDAEMON!-----------------------------------------------------

--------------------------------------------------------------------------
These forums are provided by Alt-N Technologies for user-to-user
support and discussion. Alt-N staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.altn.com/Support/RequestSupport/
--------------------------------------------------------------------------






  (newer msg:7)All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items



 Content:

Read New | Search

 Guest:

Email to Admin



You are visiting as a Guest user.