Are ClamAV & Cryen basically useless?
Question asked by Joe Dellaragione - 6/19/2018 at 12:08 PM
I have ClamAV activated, but I do not subscribe to "Cyren Zero-hour Antivirus". My users get emails constantly with things like "Invoice.doc" or "Payroll.xls" from shady domains but they open them anyway no matter how many times we train them to be careful. I always download the attachments in question and upload them to Virustotal and AV modules such as Fortinet, McAfee, TrendMicro see these files as viruses. But ClamAV and Cryen are almost always CLEAN. They end up getting blocked by the virus programs on the computers but what do you guys do for Antivirus? is there any better way to protect? 

3 Replies

Reply to Thread
Scarab Replied
As for ClamAV out of the box we weren't catching much of anything, but after adding in the signatures from Sanescurity.net and Securiteinfo.com (usage instructions for the former are at http://sanesecurity.com/usage/signatures/ and if I remember correctly you have to sign-up for the later at https://www.securiteinfo.com/services/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml) we now catch the lion's share of viruses and the attachments that get through that contain bad juju are very rare.
Also don't hesitate to be heavy-handed with your Incoming Attachment Blocklist (SETTINGS > GENERAL > ATTACHMENTS). At a minimum you should set this to match GMail's (https://support.google.com/mail/answer/6590?hl=en) although we have expanded our own list to 80 more file-types to a grand total of 117 that are blocked. With the proliferation of File Sharing services (and the File Storage function in Smartermail) it wouldn't be entirely unreasonable to block even the more common file types such as .xls and .doc in email (depending on your user's expectations, needs, and requirements).
We still advise users to run an AV program on their device and keep it updated regularly, never open unsolicited attachments from an unrecognized sender, yadda-yadda-yadda, etc., but stopping the bad attachments before they get to their Inbox is still the best defense.
Joe Dellaragione Replied
Thanks for this! I had no idea of this advanced configuration - I thought it just ran out of the box. I have made the changes suggested and already see results. Much appreciated!
Linda Pagillo Replied
Joe, also search through your delivery log to see if Clam is functioning properly. You may want to search for "clam" without the quotes. It may show you some errors if there are any.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller

Reply to Thread