More .zip files going right thru ClamAV

Problem reported by Joe Wolf - 2/22/2015 at 4:15 PM

Resolved

ClamAV is no longer very effective at stopping trojans, viruses, etc. I'll try and keep this list updated as we see more infected files that ClamAV is not catching. If you find any please report them to ClamAV at:http://cgi.clamav.net/sendvirus.cgi

2/23/15 Message Subject: Delivery_Notification_00000927366 Attachment: Delivery_Notification_00000927366.zip VirusTotal Report: https://www.virustotal.com/en/file/cf5650940cb892776e5c85f63f248f7919c77115566fc6c0144c4c5b4ee4255f/analysis/1424646368/

Thanks,
-Joe

13 Replies

Reply to Thread

Joe Wolf Replied

2/23/2015 at 9:33 PM

Had about a dozen more today. This is getting rather serious. I'm wondering if the ClamAV consortium has fallen apart. No replies from virus submissions despite their promise to do so. Viruses and Trojans I submitted over 2 weeks ago are still not picked up by ClamAV. SmarterTools, this is a VERY SERIOUS ISSUE.

Thanks, -Joe

Steve Reid Replied

2/24/2015 at 7:04 AM

We do need a more reliable replacement if this is true...

Employee Replied

2/24/2015 at 8:56 AM

Employee Post

Below is a copy for this thread but also applies. Bottom line is that we are aware of the issue, and we are taking steps to remedy it.

I want to thank everyone who has brought to our attention the shortcomings of ClamAV at this time. We are aware of the issue, and we are diligently researching options. For SM 14, at a minimum we are planning on updating the packaged ClamAV to the latest version. As stated, we are also looking at possible replacements, if necessary.

Webio, I have added your suggestion of adding command line scanner results to the SM virus statistics to our features request list. Obviously, this option would have to be configurable because the various products do return different results.

I am changing this thread from a Question to a Problem and marking it as Being Fixed.

Joe Wolf Replied

2/26/2015 at 9:46 AM

2/26/2015 Message Subject: Your Sales Invoice Attachment: 131234.zip Payload: Win32.Trojan.Downloader-pdf.Auto Report: https://www.virustotal.com/en/file/01a2267b79a65b4896f9a916dd63729fe24d596045717ffead1d8502eda7de1c/analysis/1424968929/

Thanks, -Joe

Joe Wolf Replied

2/26/2015 at 9:18 PM

I'm working on a solution using Avira which seems to be the most effective virus scanner right now. Your help with a proper command line would be greatly appreciated. The issue is far from resolved. We had over 200 messages today that went right thru ClamAV and Microsoft Security Essentials. Avira caught 100% of them. Avira seems to have a good command line scanner. PLEASE WORK WITH US. So what if it costs $100 per year (maybe ways to get around that fee). WE NEED TO STOP THIS NOW. Today we had nearly 2000 viruses/trojans go right thru ClamAV. WE NEED HELP. All the old info from the forums is GONE, and your Knowledge Base fails to document any command line scanner. The last time you did so was v10 and those KB articles are dead links. PLEASE HELP NOW!!! Call me, work with me, whatever it takes. We need this problem solved. We are NOT meeting our fiduciary duty to do acceptable virus scanning at this time. 62% is unacceptable.

Thanks, -Joe

Employee Replied

3/19/2015 at 1:32 PM

Employee Post

Joe, I want to reassure you that we are looking at a replacement for ClamAV. As for setting up the command line scanner, please follow the instruction given below (copied from SM 13.x Help). Please note that SmarterMail does not know (nor assume) that the executable name entered in the command-line file is an anti-virus program and does not quarantine messages discovered by the 3rd party program. You should be able to instruct your anti-virus program to quarantine the message by moving it out of the spool. Additiaonly, you may need to increase the Delivery Delay setting to give your anti-virus program ample time to scan the EML file (and potentially quarantine it) before SmarterMail has a chance to act on it.

Command-Line File - Enable this and enter the full path to an executable you wish to use to process incoming messages. Use %filepath as an argument to pass the path of the email file to the executable. It is allowable for the executable to delete the message to prevent delivery. Example: If you set this field to "c:\program files\myexe.exe %filepath", the program myexe.exe will be launched with the full path to the spool file as its first argument. Note: The command will not be executed if the Enabled box is not checked.
Delivery Delay - This number of seconds mail will be held in the spool before it is delivered. A delivery delay is beneficial when you are running a secondary service (such as a virus checker) that needs access to messages prior to delivery, as it provides ample time for the secondary service to interact with the message. By default, the delivery delay is 1 second.

I hope this helps.

ellisfr Replied

4/1/2015 at 1:49 PM

We got several trojan in "scan.zip" files these last days, undetected by ClamAV. I scanned the file with an online tool (virustotal.com), and ClamAV didn't detect it, but Cyren does. I understand Cyren is the new name for the CommTouch addon, so what about this solution ? I'm surprised it is not mentioned here ? I started the trial period to see if we get less viruses.

Joe Wolf Replied

4/1/2015 at 2:13 PM

I tried to work with F-Prot (Cyren) but their command line scanner doesn't seem to have the ability to scan a single file. I tested Avira but their command line scanner is very slow and uses a LOT of memory. I nearly lost control of my server within a few minutes when I tried Avira. I also tested AVG and it was the most promising. Their command line scanner is very fast and memory efficient, but I did have a problem that AVG created many log files and ended up causing problems. ClamAV is worse than ever. Today alone the number of .zip attachments with .exe payloads that went right thru ClamAV was in the hundreds. Even if you submit them to the ClamAV team they do nothing about it (if anyone is still on the project). It's a severe problem.

Thanks, -Joe

Joe Wolf Replied

4/1/2015 at 2:17 PM

Here's an example... we had 833 of these invoice.zip files go right thru ClamAV today. VirusTotal reports that all the major scanners catch it, but not ClamAV. This is very serious! https://www.virustotal.com/en/file/70d31b763623d811038636d2e2bedc3ba243dc996893f4d9d3c71790f2d33fe8/analysis/1427922861/

Thanks, -Joe

ellisfr Replied

4/1/2015 at 2:41 PM

Joe, I'm not talking about command line scanner but about the Cyren (formerly Commtouch) Zero-hour Antivirus add-on. http://smartertools.com/smartermail/mail-server-antivirus.aspx#cyren-antivirus

Joe Wolf Replied

4/1/2015 at 3:43 PM

I have found a SOLUTION to the ClamAV problem and am doing some final testing. I think this is a major breakthrough! It's simple to implement, and the cost is FREE. I will write up detailed information in a new thread after a day or two of testing. I have the solution running right now and I've thrown every virus that went right thru ClamAV today at it and ALL were caught. So far results are amazing.

Thanks, -Joe

Seph Parshall Replied

4/5/2015 at 9:11 PM

I would like to add that it would be great if there was an Events option for "File Attachment" so that the email will be scanned. The Command Line option is already an Event Action it's just missing the Condition for File Attachment. That way I can set an Event that if a .zip file is attached, then run Command Line argument/file so that the attachment can be scanned.

Matt Petty Replied

4/6/2015 at 3:27 PM

Employee Post

I know it's your own post but Joe found a good solution and wrote a fantastic resource here: https://portal.smartertools.com/community/a2583/how-to-greatly-improve-clamav-even-zero-hour-style-protection-for-free.aspx

Just posting this as a resource for anyone new seeing this article.

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

Back to Community Threads

Please leave this box unchecked

13 Replies

Reply to Thread

Tags

Related Knowledge Base Articles