4
More .zip files going right thru ClamAV
Problem reported by Joe Wolf - February 22, 2015 at 4:15 PM
Being Fixed
ClamAV is no longer very effective at stopping trojans, viruses, etc.  I'll try and keep this list updated as we see more infected files that ClamAV is not catching.  If you find any please report them to ClamAV at:http://cgi.clamav.net/sendvirus.cgi 
 
2/23/15 Message Subject: Delivery_Notification_00000927366  Attachment: Delivery_Notification_00000927366.zip  VirusTotal Report: https://www.virustotal.com/en/file/cf5650940cb892776e5c85f63f248f7919c77115566fc6c0144c4c5b4ee4255f/analysis/1424646368/
Thanks,
-Joe

5 Replies

Reply to Thread
0
Steve Reid Replied
February 24, 2015 at 7:04 AM
We do need a more reliable replacement if this is true...
1
Robert Emmett Replied
February 24, 2015 at 8:56 AM
Employee Post
Below is a copy for this thread but also applies.  Bottom line is that we are aware of the issue, and we are taking steps to remedy it.
 
I want to thank everyone who has brought to our attention the shortcomings of ClamAV at this time.  We are aware of the issue, and we are diligently researching options.  For SM 14, at a minimum we are planning on updating the packaged ClamAV to the latest version.  As stated, we are also looking at possible replacements, if necessary.
 
Webio, I have added your suggestion of adding command line scanner results to the SM virus statistics to our features request list.  Obviously, this option would have to be configurable because the various products do return different results.
 
I am changing this thread from a Question to a Problem and marking it as Being Fixed.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Robert Emmett Replied
March 19, 2015 at 1:32 PM
Employee Post
Joe, I want to reassure you that we are looking at a replacement for ClamAV.  As for setting up the command line scanner, please follow the instruction given below (copied from SM 13.x Help).  Please note that SmarterMail does not know (nor assume) that the executable name entered in the command-line file is an anti-virus program and does not quarantine messages discovered by the 3rd party program. You should be able to instruct your anti-virus program to quarantine the message by moving it out of the spool.  Additiaonly, you may need to increase the Delivery Delay setting to give your anti-virus program ample time to scan the EML file (and potentially quarantine it) before SmarterMail has a chance to act on it.
 
  • Command-Line File - Enable this and enter the full path to an executable you wish to use to process incoming messages. Use %filepath as an argument to pass the path of the email file to the executable. It is allowable for the executable to delete the message to prevent delivery. Example: If you set this field to "c:\program files\myexe.exe %filepath", the program myexe.exe will be launched with the full path to the spool file as its first argument. Note: The command will not be executed if the Enabled box is not checked.
  • Delivery Delay - This number of seconds mail will be held in the spool before it is delivered. A delivery delay is beneficial when you are running a secondary service (such as a virus checker) that needs access to messages prior to delivery, as it provides ample time for the secondary service to interact with the message. By default, the delivery delay is 1 second.
I hope this helps.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Seph Parshall Replied
April 5, 2015 at 9:11 PM
I would like to add that it would be great if there was an Events option for "File Attachment" so that the email will be scanned. The Command Line option is already an Event Action it's just missing the Condition for File Attachment. That way I can set an Event that if a .zip file is attached, then run Command Line argument/file so that the attachment can be scanned.
0
Matt Petty Replied
April 6, 2015 at 3:27 PM
Employee Post
I know it's your own post but Joe found a good solution and wrote a fantastic resource here: https://portal.smartertools.com/community/a2583/how-to-greatly-improve-clamav-even-zero-hour-style-protection-for-free.aspx
 
Just posting this as a resource for anyone new seeing this article.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread