Virus situation - latest ?
Question asked by Anthony Salter - 11/16/2016 at 1:52 AM
I'm struggling with virus that come straight through clam av (i don't have cyren) and yesterday tried to make improvements using information found on here, I'm currently using version 15.3 and i have followed the guides to ensure the latest fixes/additional sigs are working 
All seems to be working fine, no errors, updating ok and automatically, but since i implemented the changes (adding the extra lines to ini file) although i now seem to have more sigs loaded in db according to freshclam.log , im suddenly detecting a lot less virus, i have already seen some .gz files go straight through which i cannot download as local virus scanner blocks straight away.
I'm concerned i have messed something up, but i see no indication of this - yesterday by 8am , there were already three pages of 'This message has been quarantined because a virus was found.' checking the same logs for today after the hoped improvement i have just 1/2 a page in logs.
I'm confused by the amount of loaded sigs, as there are various numbers listed for different list and im not entirely sure what the total to compare is - i have been going by the last number on the update logs though.
I upgraded from version 12 in September, at this point the log showed i had around 490k sigs with just a couple of sources listed , but after the upgrade it seem to go down to around 114k with quite a few new sources, now that i applied the ini updates new database files were added in and i'm up to around 525k sigs - but as i say the effect of this change seem to be the opposite in regard to detection and easily detected virus attachments are still going right through
scanner and updater are definitely running so thats something i guess :)
Can anyone offer any advice/insight to get this tightened up or is it just a given that you will get virus without a paid add on ?

3 Replies

Reply to Thread
Anthony Salter Replied
Just a few more comments on this,
my numbers above were wrong sorry  - exact details below
if i go by the clamdlog, currently i have
Database correctly reloaded (5425976 signatures)
previous to 'fixes'
Database correctly reloaded (114425 signatures)
and in freshclamlog
Database updated (7474339 signatures) from database.clamav.net
previous to fixes
Database updated (4709123 signatures) from database.clamav.net
i also notice that this line
"main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)"
hasn't changed for years, which may point to why its not effective
One simple test i am doing is sending a series of disguised virus test files using this service -  www.emailsecuritycheck.net/index.html
Before any changes i ran this and only email no2 or 7 was blocked, i made changes and also installed and added avast as command line scanner - tried it again and get no better results.
Although im not sure about avast business free, maybe it could be used in the past but right now i can install it and all seems good , updates etc, i can see command line exe is called looking at process manger - but in the avast management console it states i need a license to run it on a server install , so maybe its going through the motions and  not actually taking any action ?.
i guess i need to find the logs in avast to see if it is actually doing anything , the software has been so stripped down over the years
Basically it appears that despite these changes tests show its made no improvement, stats show it has made things worse - although i cant logically see how rolling back changes to small set of sigs would improve things.
i would really like to make some progress blocking these virus files so i would appreciate any advice
Matt Petty Replied
Employee Post
Have you signed up for securite and tried their signatures? If memory serves they were pretty good and for a little while we used them by default but they've since require accounts to signup on their website now.
Matt Petty Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
Anthony Salter Replied
Hi Thanks for reply -

yes , although as far as i know the only reason to access the account is to get the urls for the sig downloads that are added to the ini file - after that its automated and nothing else you need to do with the account , i believe.

Please let me know if i have over looked something there ?

From my first post...

' i have followed the guides to ensure the latest fixes/additional sigs are working


I guess it would be nice to know if anyone has a setup with SM that blocks all of the test mails from the above service , would be nice to see some light at the end of the tunnel, unfortunately seems to be a lot of darkness around virus detection.

Reply to Thread