Questions related to ClamAV and Cyren Zero-hour Antivirus
Question asked by Nathan Harrington - 7/13/2016 at 7:42 PM
I'm hoping some of you can shed some insight on these questions related to the workings of ClamAV and Cyren AV.
1a. Under Security > Antivirus Administration > Options there is a setting for Virus Quarantine with options of None, 15 days, and 30 days. For the 15/30-day settings, I'm assuming that offending messages are sent to the Virus Quarantine for that number of days, after which they are simply deleted. Is that correct?
1b. What happens to the messages if the Virus Quarantine setting is set to None? Are the messages deleted? Sent to the recipient's mailbox? Tagged in some way?
1c. To which mechanisms does the Virus Quarantine setting apply? ClamAV? Cyren? Both? It appears to be generically listed under Options in the Antivirus section, however Cyren has it's own set of options for Virus, High, and Medium results; ClamAV on the other hand, has no options for how to handle offending messages. How does the Virus Quarantine fit into the picture.
2. Are messages that are sent to the Virus Quarantine automatically rescanned periodically and potentially sent on to the recipient (e.g., a bad signature update results in false-positives; new signature update corrects the issue; are the messages that reside in the Virus Quarantine automatically rescanned using the updated signatures in order to potentially release previously detected false-positives)?
3. Are senders and/or recipients notified in any way when a message is detected by ClamAV, detected by Cyren, and/or sent to the Virus Quarantine?
4a. Is there some way for recipients to review/release messages that have been sent to the Virus Quarantine, or is review of the Virus Quarantine exclusive to the System Administrator?
4b. If review of the Virus Quarantine is exclusive to the System Administrator, how are you handling this? With SM v12, I was seeing enough false positives in the Virus Quarantine that I needed to review it on a daily basis. Thus far with SM v15 (upgraded early this morning), I'm seeing significantly more activity in the Virus Quarantine than with SM v12. I'm assuming this is related to the implementation of ClamSup. Much of it appears to be legitimate blockage, but not necessarily virus-related even though that's what it's being flagged as in the Delivery log. This is problematic in the sense that spam detected via the AntiSpam mechanisms lands in Junk Email for users to deal with. Spam detected by ClamAV appears to land in the Virus Quarantine where it seems that I have to deal with it. There remain enough false-positives that I will need to review the Virus Quarantine on a daily basis, if not multiple times per day due to the increase in messages quarantined, but now I have more messages to wade through than before. How do you manage this?
5. How does the ClamAV / Cyren setup work? Which scan occurs first? Do all messages go through both mechanisms, or if the first mechanism detects a virus, does it skip the second mechanism?
6. Is there an easy way for me to see statistics about how many messages are detected by each of ClamAV and Cyren Zero-hour Antivirus? I found...
Reports > Dashboards > System Statistics > Security shows how many viruses have been deleted, but doesn't give any indication of which mechanism detected them.
Reports > System Summary Reports > Spam and Virus Reports > Viruses shows me virus counts detected by domain, further broken down by user, but again doesn't give any indication of which mechanism detected them.
Reports > System Trend Reports > Traffic Reports > ClamAV shows me ClamAV connections, but there isn't any info about number of viruses detected.
Reports > System Trend Reports > Spam and Virus Reports > Viruses shows me virus counts by day, but there is no indication of which mechanism detected them.
Reports > System Trend Reports > Spam and Virus Reports > Cyren Zero-hour Antivirus shows me a breakdown of Virus, High, Medium results for Cyren, which is potentially useful, but questions...are these the messages that passed through ClamAV undetected and were then detected by Cyren, or do all messages pass through Cyren regardless of ClamAV, and this is what Cyren detected regardless of whether ClamAV detected them as well?
Interestingly, in running this report from 7/14/15 through 7/13/16 (1 year), Cyren has detected a total of TWELVE Virus/High/Medium results. This doesn't seem reasonable to me at all. We've been running SM v12 with Commtouch AV until today (now SM v15 with Cyren AV), but still...12 detections in an entire year? It seems unlikely to me that we would be that immune to seeing viruses. Are viruses being blocked before Commtouch/Cyren scans them, and thus not detected by Commtouch/Cyren? Are viruses coming in and passing through both ClamAV and Commtouch/Cyren undetected?

We haven't received complaints from users about viruses getting through, but twelve virus detections in an entire year simply isn't worth $450/year (cost of Cyren AV). If I disable ClamAV, should I see an increase in Cyren detections.

I feel like I need to see more detail about what's actually happening, but I'm not sure where to look for it. I can see ClamAV detections in the delivery log. Are the Cyren detections/blocks logged somewhere as well?
Any/All thoughts and suggestions are welcome.

3 Replies

Reply to Thread
Nathan Harrington Replied
Just a quick update on this.  Since our upgrade to v15.1.6005 last week, ClamAV is driving me nuts.  It's blocking far more mail than it used to, and as near as I can tell, users have no ability to review, mark not spam, or anything, of the messages that get blocked.  That pushes that burden to me, and quite frankly, I've got better things to do.  Even worse, ClamAV is stopping legitimate mail, including outbound mail from our customers, which it never did before.  I can't have that.
In all fairness, a significant portion of what is being blocked is being blocked legitimately, but there are enough false positives that I can't just look the other way and ignore them.  Beyond that, some portion of the messages that are being blocked appear to be nothing more than spam, which doesn't really warrant complete blockage from users; filing in Junk Email would be far more appropriate.  I considered disabling some of the ClamSup databases, but the logs don't give enough information for me to tell which databases I need to disable; the virus/malware detection strings provided don't give a clear indication of which database they reside in.
I looked into disabling all the extra stuff (the ClamSup stuff) and reverting back to just plain ClamAV, but none of the old/original ClamAV databases that existed prior to our upgrade from v12 appear to exist anymore, which leads me to believe that if I remove the ClamSup databases, that ClamAV essentially won't be doing anything because it doesn't have any other databases.  I really don't want to disable ClamAV entirely, but the current situation simply isn't a workable one as I don't have time to sit here and review all of these messages for false positives every day, or worse, several times a day.
YS Tech Replied
So I assume you never found out what the quarantine options actually mean.
Does the "None" option actually delete the email or let it through?
I am currently receiving thousands of virus quarantined items / day and would like them to just be deleted, but if i select "None" is that actually what it will do?
Employee Replied
Employee Post
Anthony, correct. Setting the Quarantine to None will simply delete the message.

Reply to Thread