ESET NOD as an additional virus scanner
Question asked by Martin Schaible - March 3, 2015 at 4:20 PM
Answered
Hello
 
We have ESET File Security on our servers running. Of course, the data directory of SmarterMail is excluded from any scanning.
 
The virus scanner offers an command line scanner, whiich could integrated into SmarterMail via the "Command-Line" in the UI.

My question: Are any experiences around, how a virus scanner behaves in this way? The scanner returns depending of the result error codes. How does SmarterMail deal with those codes to chekc if a mail is clean or not?

Many thanks
 
Martin

34 Replies

Reply to Thread
0
Shane Hollis Replied
I tried with nod32 on the command line and locked up my entire mail / spool. Not a good look. Do test thoroughly if you are doing it. 
 
Also Nod32 has a couple of different versions - one handles exchange and may be more appropriate for a mail server.
 
 
 
0
Webio Replied
Try this:
 
YOURESETPATH\ecls.exe /base-dir="C:\Server\ESET\FileSecurity" /no-boots /sfx /rtp /adware /unsafe /unwanted /pattern /heur /clean-mode=NONE /no-log-console %FILEPATH
0
Webio Replied
Additional note: SmarterMail command line does not allow to configure return codes so basically SM does not know if mail contained or not a virus and there will be no stats about it. This has been pointed out in various latest ClamAV threads and SmarterTools is aware of it.
 
Check:
 
2
Joe Wolf Replied
Marked As Answer
ALL of the old command line anti-virus scanners are obsolete when it comes to SmarterMail.  SmarterTools has removed all the command line scanner options from the knowledge base, and removed all previous forum information that would be helpful.  They are working with Cyren... so you can either user Clam AV at 62% efficiency or Cyren Zero Hour or Cyren which costs a fortune and is no better than ClamAV.
 
I've tried to communicate this MAJOR ISSUE to SmarterTools, but all I get are vague and misleading answers.  
 
Sad.  I think we could use Avira and it's the best there is right now, but no way to pass the message to Avira unless SmarterTools helps us.  So far they have refused.
 
ClamAV is nearly WORTHLESS and I suggest you notify ALL  users that you no longer have an effective anti-virus solution and nobody is cooperating.  Hope they use a good one.  We see hundreds per day go straight thru ClamAV.   It's essentially worthless since Cisco took them over.  The pattern files haven't been changed in any significant way in about a year.  I expect ClamAV to go away soon.
 
Your only options at this point are (as I see it):
1.  Notify your customers that your anti-virus product is not effective for any newer virus, spyware, or trojans and they need to protect themselves.
 
2.  Move them to Office 365 or the Google service that have modern virus scanning.
 
This is a MAJOR screw up by SmarterTools and all we get in reply is that "we're looking into it".  
 
I've been in discussions with Avira and they want to help, but SmarterMail won't pass the message to their great command line scanner in any way we've found.  Avira is the most effective of all virus scanners in the last 60 days and very, very low false positive rate.  ClamAV is at only 62% at catching older infected files and even worse at newer ones (maybe 1 - 2 % at best).
 
Again SmarterTools won't listen, won't respond, and doesn't seem to give a damn.  Sorry but that's the truth.  They even eliminated all the old forum and knowledge base articles to use third party command line scanners.  The function in SmarterMail to use a third party scanner is useless.
 
The 3rd option would be to use Declude, but they don't seem to have the program well documented or updated as far as I can tell.  I'd love to use it, but it breaks DMARC, and DKIM the last time I used it.
 
-Joe
 
-Joe
 
Thanks,
-Joe
1
Webio Replied
Joe IMHO SmarterTools command line works as it worked before. I've tested it with ESET File Security with command line which I've given in my previous message (so basically this topic thread is not about ESET NOD but about ESET File Security) and it worked correctly but licensing model in my environment is no go for me (1 file security license when buying 5 licenses for NOD Endpoint Suite) so I've decided to use something else and for now I'm testing Avast connected with Declude which I was already using and also because I have some virus logging in Declude which is not possible with command line scanning directly from SmarterMail
 
When it comes to Declude it is no longer breaking DKIM tests (I was person which reported this to declude and keeped pinging them for few months and this issue has been fixed about two weeks ago). Also I think Declude is not so hard to use and when it comes to virus configuration I can provide my configuration (it is almost identical as one provided on mailbestfriend website but I've disabled some internal Declude virus tests because they where causing false positives).
For example in Declude in virus.cfg for Avast scanning you need to use only (you don't need to add %FILEPATH similar variable like it is with SmarterMail):
 
SCANFILE X:\PATH\AvastBusiness\ashCmd.exe /a /c /t=A /_

VIRUSCODE 1
If you can provide Avira command like scanning util path with params so I can test it on my end with SmarterMail and Declude and see what it will give.
0
Webio Replied
One more thing. Avira just like Avast are not free (both of them can't be installed on Windows Server version). I've compared their license cost and actually they cost is almost the same with this difference that Avast must be bought with at least 5 licenses where Avira requires only 3. In my environemnt I need 4 licenses for gateways and there will be probably soon anothre gateway so 5 linceses is ok for me. http://www.avira.com/en/for-business https://www.avast.com/en-us/endpoint-protection-suite
0
Webio Replied
There is also one more thing with Avira and their Endpoint Security license. It looks like when buying Endpoint Security license you can protect one file server and X number of workstations and Avast allows to install their licensed products on workstation and server systems without any limits.
0
Joe Wolf Replied
Webio, no I'm not saying that the functionality of the command line feature has changed, but all previous documentation of it is gone. Many people did a lot of hard work to get the best possible setup for the various anti-virus products out there and all have been deleted by SmarterTools. That's what frustrates me. They even refer to Knowledgebase articles that no longer exist.
Thanks,
-Joe
0
Webio Replied
Joe - take a look here: https://www.avast.com/business. Free version which can be used on Windows Server systems and has command line scanner.
0
Joe Wolf Replied
According to this page: http://avast.helpmax.net/en/product-comparison/ you need at least the Pro paid version, but it won't run on servers, their server software is rather expensive.
Thanks,
-Joe
0
Webio Replied
IMHO this is something totally different. I just registered and downloaded installer and I've activated it from central cloud management console without any problems. There is paid version but free version is more than enough for our purposes.
0
Joe Wolf Replied
I didn't look at their cloud based services. We have two problems with that. First, we can't compromise our customers security by sending their data to a third party, and secondly it would double our bandwidth usage. We have to use and end point solution.
Thanks,
-Joe
0
Webio Replied
But this is not a cloud solution. AV is being installed locally with local software and virus DB. Cloud is only for management. No files are being sent outside. You are just managing your Avast software from their page and thats it.
0
Joe Wolf Replied
OK, I understand what you're doing now. You're using the $175/yr product and yes it will install on a server. I thought you were implying that their free version would work, but those products won't install on a server. I have some additional information from Avira that I will try tomorrow which would lower the cost to $105/yr and has many more command line options and rates as the best antivirus available. Avira has suggested the use of a .cmd script and it looks promising.
Thanks,
-Joe
0
Webio Replied
Ok. Clarification: I was testing their paid (I didn't ordered it yet) product but to one of my questions they suggested "I would honestly recommend to use our new business security product". So it looks like avast.com/business is something new and free. "Avast for Business Business-grade protection starting at a price every business can afford. Free." So I've signed up, downloaded installer runned it and it replaced my previous Endpoing trial software with new one from business line which I had no problem with activation. It looks like installer is customised and when software is being installed using downloaded installer system appears on their website for managing their products remotely but software itself is installed locally and I still use the same command line ashCmd.exe file which I was using previously. So basically I have good AV solution for free.
0
Joe Wolf Replied
The one you link to is cloud managed and although it may install locally it sends all the info to Avast and we just can't allow that. When I try and install the endpoint (not free) version on Windows Server 2008r2 it fails with "OS Not Supported".
Thanks,
-Joe
0
Webio Replied
I've sent them question about it. I'll let you know when I get the answer.
0
Joe Wolf Replied
The answers are here: http://files.avast.com/files/legal/eula-avast-business-security.pdf Read section 9. They're data mining the hell out of the data and you're giving them the right to share the data. No thanks, not for me.
Thanks,
-Joe
0
Martin Schaible Replied
Thanks very much for this lot of informations. I really have forgotten, that Declude is able to deal with virus scanners ;-( Regarding your answers, it makes more sense to start there with NOD.
 
I use the products from ESET for more than a decade and i was never disappointed. Even the license model ist quite good and not really expensive. So far im remember i payed around 700 Dollar/Swiss francs for 25 licenses (Clients or servers) for four years. That's okay, i think.
 
Cheers
0
Webio Replied
Let us know about Avira testing then.
0
Joe Wolf Replied
I got Avira to work, but it's very slow and each message spawns another process that uses a lot of memory. Unusable. I now have AVG installed and working. AVG is very fast and uses very little memory. ClamAV runs first then AVG and today alone AVG caught 12 infected messages that ClamAV didn't catch. I'll do a complete how-to on AVG as soon as I'm sure it's stable and working properly. AVG is not quite as good as Avira or Avast, but much better than ClamAV.
Thanks,
-Joe
0
Webio Replied
On my end I didn't managed to install AVG. When I was installing free version it was always asking for license key (even on systems which never had AVG installed). How about AVG licensing? Since it is free does it say anything about sharing information with AVG servers? Or maybe you are not using free version but their AVG File Server edition?
0
Steve Reid Replied
A while back I had attempted to use AVG, there were posts on the old forum referencing it. I found it behaved the same as other where it was spawning a new process for every email. At one point I though I got it working well, however a while later the server was locked up with a ton of avg processes consuming all the memory.
0
Webio Replied
IMHO all AV solutions will work the same way since this is command line scanning. To make AV scanning behave in different way some kind of integration must be made between SM and AV solution. For now on my end all emails are being scanned using Avast solution (ashCmd.exe file spawned by Declude for all emails) and I have no issues with too many resources being used by scanners. Actually ESET FIle Server command line tool was using more resources than Avast command line. I didn't tested AVG yet.
0
Joe Wolf Replied
No, I had to use the AVG Server version that is not very expensive (if you buy the 2 year license it's about $32 per year. Yes, it spawns a new process, but in the case of AVG it only lasts a fraction of a second and uses very little memory. The load on the server is much less than ClamAV. I have run into on problem with AVG that has caused me to pull it for now. It creates HUGE log files and I have to find a way to turn that off. AVG does have a bit of a different way of handling infected files... in most cases it just removes the attachment and allows the remaining non-dangerous parts of the message to be delivered.
Thanks,
-Joe
0
Opt-Out Replied
/clean-mode=None? Doesn't that defeat the purpose of running the scan? /clean-mode=Standard will attempt to automatically clean or delete infected files.
0
Webio Replied
It all depends how you use it. I'm using AV command line scanner with Declude which moves virus messages to separate directory and that's why I'm not doing anything else than having true/false for message containing a virus.
0
Opt-Out Replied
Ah, sorry. I read the original post and he referred to using it as a command line scanner in SM which doesn't seem to be able to return codes. If someone grabs your example and puts it in to SM command-line it's not going to do anything :)
0
Webio Replied
Joe one more thing since licensing issue has stopped you from using Avast. Have you checked paid AVG license when it comes to submittion various information from infected files? I've also found out why AV scanning on my end is using very low resources. This is caused by Declude which makes prescan on processed emails and only part of them are being scanned by AV software. When I've switched for scanning all messages CPU usage went to 100% so maybe this is some kind of solution which has high volume mail server usage.
0
Martin Schaible Replied
Hello
 
I forgot to give some feedback. I have integrated ESET File Security to our mail server. Declude makes our life easy for this.
 
First i switched the silly AVG scanner off. Remember, that AVG does not deliver a signature update anymore while the license is no more valid.
 
# Turn off the internal AVG scanner
BUILTINSCANNER    OFF
 
# The following options allow you to limit scanning to only incoming or outgoing E-mail.
INCOMING    ON
OUTGOING    OFF
 
I switched off outbound scanning to save resources. Before your alarm lights are going on: I use declude's hijacker to avoid any mass outbound deliveries.
 
This are the two lines to add NOD into virus.cfg:
 
# ESET
# See: http://help.eset.com/ees/6/de-DE/index.html?advanced_cmd.htm
SCANFILE C:\Progra~1\esetfi~1\ecls.exe /base-dir="C:\Progra~1\esetfi~1" /quar-dir="D:\SmarterMail\_Quarantine" /log-file="D:\SmarterMail\Logs\ESET\ecls.log" /log-all /quarantine /no-ads /no-boots /no-unsafe /no-unwanted /arch /sfx /rtp /adware /pattern /heur /adv-heur /clean-mode=NONE /no-log-console
VIRUSCODE 50
 
Important:
- Declude needs the old 8.3 syntax to access the directories.
- Viruscode 50 triggers declude, if a virus was caught.
 
Maybe the parameters can be optimized, will see.
 
After getting more experience with this, i will stop the logging for every scanned mail and change it to only infected mails.
At this time, i didn't experience much more CPU load, measured with PRTG (WMI-sensor)
 
 
 
0
Webio Replied
CPU load is low becase declude performs prescan and it is not scanning all messages using provided AV command line scanner (when running command line scaner directly from SmarterMail all messages will be scanned and you will for sure notice higher CPU usage):
# Declude can pre-scan HTML files.  If no dangerous code is detected, the 
# virus scanner will not get called.  This can significantly cut down on CPU usage.
PRESCAN        ON
param in virus scanning configuration file. When it comes to virus scanning I was running free Avast business solution with params:
 
SCANFILE c:\.....\AVAST\AvastBusiness\ashCmd.exe /a /c /t=A /_

VIRUSCODE 1
 
1
echoDreamz Replied
We've been running a product we created that interfaces with the Emsisoft Commandline Scanner product. It has been working with perfect success in catching incoming / outgoing infected attachments. Much better than ClamAV and even caught some items that Cyren did not.
 
The Emsisoft product is extremely inexpensive as well, $50 annually. It has performed extremely well in all of our tests, no issues with performance (even though the scanner can only process one request at a time).
 
Our product is used by SmarterMail to queue up the requests to the scanner, as well as determine if the message has any attachments that need to be scanned etc. We have about 2 dozen mail servers that we manage running it as well with very positive results and extremely happy users :)

Christopher

0
Neat! Would you be willing to share the command line syntax config you're using as you've defined in SmarterMail for this?
0
echoDreamz Replied
It is just not command line syntax. We've created a custom Windows Service / command line interface to the service in order to properly queue up requests / logging etc. A few of our test customers have requested adding email notifications to it as well. We will be linking to the product here soon.

Christopher

Reply to Thread