6
Alternatives to Cyren
Question asked by Ben Kiser - 9/14/2020 at 8:26 PM
Answered
Does anyone have any information on alternatives to Cyren and ClamAV anti-virus.  I am very disappointed in the performance of Cyren, we were recently slammed by emails with infected word documents and our workstation anti-virus caught them but Cyren let them through.  I have to justify the expense for Cyren and I don't know if I can.

30 Replies

Reply to Thread
1
Cyren it's technically "GARBAGE" because it seems to detect very few threats, but at least it helps a little...  It's your choice if it's worth the expense...

I use it because I think every little help it's better than nothing...

For better performance I suggest to use ClamAV with additional signatures from Sanesecurity.

If it helps you, here are my freshclam.conf settings:

DatabaseDirectory C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\share\clamav
UpdateLogFile C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\log\freshclam.log
PidFile C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\freshclam.pid
AllowSupplementaryGroups yes
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror database.clamav.net
MaxAttempts 3
Checks 24
NotifyClamd C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\etc\clamd.conf

DatabaseCustomURL https://www.securiteinfo.com/get/signatures/X_your_key_here_X/securiteinfo.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/X_your_key_here_X/securiteinfo.ign2
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/X_your_key_here_X/javascript.ndb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/X_your_key_here_X/spam_marketing.ndb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/X_your_key_here_X/securiteinfohtml.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/X_your_key_here_X/securiteinfoascii.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/X_your_key_here_X/securiteinfoandroid.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/X_your_key_here_X/securiteinfoold.hdb
DatabaseCustomURL https://www.securiteinfo.com/get/signatures/X_your_key_here_X/securiteinfopdf.hdb


Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
Matthew Titley Replied
I, too, became disappointed with Cyren performance for the exact reasons you stated and switched to an SMTP gateway device to scan for viruses and malware prior to hitting SmarterMail. I wasn't terribly impressed with ClamAV performance either.
0
Ben Kiser Replied
I'll definitely try using the additional signatures in ClamAV and see if that helps, if not we will definitely look into adding an SMTP gateway device.
0
Ben Kiser Replied
Gabriele,

I updated my freshclam.conf file and ran the signature update and I get a "Not supported protocol" error.  With a little research I determined this is because the ClamAV bundled with Smartermail does not support HTTPS.  Is there a way of updating the ClamAV, is it automatically updated with the Smartermail update?  Any help would be great.

Thank you,

Ben
0
Ben, do you have a subscription to SaneSecurity and did you change the string "X_your_key_here_X" with your subscription key?

It definitely have to work...
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
Heimir Eidskrem Replied
Gabriele,
Thank you for sharing your settings and info.

Trying out the secureinfo signatures now.  



0
David Fisher Replied
Marked As Answer
Gabriele,

  AFAIK, SaneSecurity and SecureInfo are two separate companies, the urls you gave are for SecureInfo, which has a free license key, you just have to register.

0
Ben Kiser Replied
Signed up at securiteinfo.com and was able to get the key and update the signatures in ClamAV.  I did have to change from HTTPS to HTTP because the version of ClamAV in my install does not support HTTPS.  Can that be updated without having to update to the latest Smartermail version?

Thank you,

Ben
0
David, you are right! Sorry...
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
1
Patrick Kraus Replied
Clam AV as it comes with Smartermail is basically a waste of time and Cyren was too expensive. We are based in South African and the exchange rate just kills us unfortunately. We have tried many things but what worked best for us was to install ESET File Security for Microsoft Windows Server and then activate Command Line Anti-Virus in Smartermail with the below command.

C:\Program Files\ESET\ESET Security\ecls.exe /base-dir="C:\Program Files\ESET\ESET Security\Modules" /aind /arch /sfx /adware /clean-mode=Delete %FILEPATH

You can also include the below to add the scan log. You can then check the log and make sure the mails are being scanned correctly as each scan is recorded.

/log-file=PATH TO YOUR LOG FILE HERE

The price for the software is very reasonable (about $40 - $50 per year) and apart form providing general security for your server it also does a good job of catching viruses and phishing mails.

Naturally, nothing is perfect but the above solution with some beefed up RBL's and we are doing much better than before.

Good luck, hope it helps.
0
Matthew Titley Replied
Patrick, question for you regarding your command line solution. Would you post here an estimate of daily SMTP volume or number of users your solution supports? We have about 500 users or so. Does the ESET command line scanner "keep up" sufficiently with the spool? I suppose you exclude the spool directory from the real time scanner. Thanks for any additional info.
0
Patrick Kraus Replied
Hi Matthew. Current we have 547 active users and send and receive around 15,000 emails per day. The command line scanner appears to keep up with the spool and we have not seen any delays or the spool backing up in any way. CPU and memory usage is also unaffected. From the below logs it looks like the mails are scanned as soon as they hit the spool.

Below are 2 scan logs from the log file. The start and end times are basically identical indicating that the scan is less than a second.

Alot of ESET resellers offer a 2 week trial of the software. This is how we evaluated it before making a decision.


ECLS Command-line scanner, version 7.1.12010.0, (C) 1992-2020 ESET, spol. s r.o.
Module loader, version 1021 (20200218), build 1061
Module perseus, version 1565.1 (20200907), build 2140
Module scanner, version 22005 (20200917), build 46828
Module archiver, version 1306 (20200803), build 1340
Module advheur, version 1202 (20200730), build 1193
Module cleaner, version 1213 (20200804), build 1330
Module augur, version 1075 (20200911), build 1076

Command line: /base-dir=C:\Program Files\ESET\ESET Security\Modules /aind /arch /sfx /adware /log-file=C:\maillog.txt /clean-mode=Delete c:\SmarterMail\Spool\SubSpool8\152930454.eml

Scan started at:   Thu Sep 17 17:08:34 2020

Scan completed at: Thu Sep 17 17:08:34 2020
Scan time:         0 sec (0:00:00)
Total:             files - 1, objects 8
Detected:          files - 0, objects 0
Cleaned:           files - 0, objects 0


ECLS Command-line scanner, version 7.1.12010.0, (C) 1992-2020 ESET, spol. s r.o.
Module loader, version 1021 (20200218), build 1061
Module perseus, version 1565.1 (20200907), build 2140
Module scanner, version 22005 (20200917), build 46828
Module archiver, version 1306 (20200803), build 1340
Module advheur, version 1202 (20200730), build 1193
Module cleaner, version 1213 (20200804), build 1330
Module augur, version 1075 (20200911), build 1076

Command line: /base-dir=C:\Program Files\ESET\ESET Security\Modules /aind /arch /sfx /adware /log-file=C:\maillog.txt /clean-mode=Delete c:\SmarterMail\Spool\SubSpool9\152930455.eml

Scan started at:   Thu Sep 17 17:08:43 2020

Scan completed at: Thu Sep 17 17:08:43 2020
Scan time:         0 sec (0:00:00)
Total:             files - 1, objects 2
Detected:          files - 0, objects 0
Cleaned:           files - 0, objects 0
2
I really think that SmarterTools need to avoid CYREN partnership and find a better partner for AV Scanning anda Antispam filtering.

Then, when a better option is available, CYREN need to be removed from SmarterTools.

Even MessageSniffer seems to be a good filter too...

Is there anyone from Smartertools that wants to say a word about it?
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
Matthew Titley Replied
Hi Patrick, very kind of you to provide all that info. Thanks again. I think I'll give it a go as a second or third line of defense.
1
David Fisher Replied
Gabriele,

  Back in December 2019, a now former employee of SmarterTools wrote the following to you :

Cyren Zero-hour is a service that provides protection in the earliest moments of malware outbreaks and continued protection as each new variant emerges. This service is intended to be used as a complement to conventional antivirus technology as an additional protection against zero-hour virus outbreaks. Because Cyren looks for new variants of malware, we unfortunately can't guarantee that existing viruses should be caught by that service.

Cyren Zero-hour should always be used in conjunction with another antivirus solution such as ClamAV.


  It seems it only catching things other A/V wouldn't typically catch, which I think is dumb for the price, it should be a one and all solution for A/V.

Regards,
-dave
1
Matthew Titley Replied
David, yeah, that does sound really dumb and a ready-made excuse for when ransomware gets through. "If only it was a zero-hour threat rather than a zero-day threat our product would have protected you."
0
FrankyBoy Replied
Hello everyone, I have installed ESET File Security for Windows Server to use the command line option as suggested in this thread. I added the option "/log-file=L:\esetlog.txt" (L: is my disk dedicated to log files) and the processing of the files seems to be working fine.

However, I am wondering about the correct configuration of my installation of ESET File Security on the server:

After the standard installation, I added the following folders in the ESET folder exclusions:
  • C: \ Program Files (x86) \ Smartertools
  • E: \ (which contains the spools folders, and all the email account folders)
  • L: \ (which contains all the Startermail log files)

I also added the following services of the exclusions process:
  • C: \ Program Files (x86) \ Smartertools \ services \ Mailservice.exe
  • C: \ Program Files (x86) \ Smartertools \ services \ clam \ bin64 \ ClamD.exe

Do you see a problem letting all ESET protection services run on the rest of the server or do you recommend that I disable all ESET services running in the background? Has anyone put together a clear procedure on how to configure ESET File Security to work smoothly with Smartermail?

Should I also deactivate ClamAV in Smartermail?

Thanks in advance!
1
Patrick Kraus Replied
Hi Francis, we have turned on the automatic exclusions function which will scan your server and look for any obvious exclusions. We then also added the below smartermail paths in.

C:\SmarterMail\*.*
C:\Program Files (x86)\SmarterTools\*.*

The command line scanner will scan mail in the spool which is all we want it to do.
0
Hello to everyone!!!

As suggested by Patrick, I'm Eset File Security to scan incoming E-Mails (I'm using the same configuration Patrick suggested, with LOG FILE ).

Ten days now and it seems that Eset never catch a virus (Every mail has "Detected:          files - 0, objects 0" and "Cleaned:           files - 0, objects 0 " in thew log file), but both Cyren ZeroDay and ClamAV have detected viruses...

Something as 170000 mail scanned...

It seems to me that Cyren ZeroDay+ClamAV with Securiteinfo definitions are doing a good job...

Allmost all the work is done by ClamAV, Cyren probably has few merits ...
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
1
David Sovereen Replied
I didn't even know third-party virus definitions existed for ClamAV until this thread.  Perhaps I was living under a rock.  Anyway, thank you.  I subscribed to securiteinfo.com so I could test it out with the best zero-hour malware definitions.  Immediately, I started getting SPAM caught in the Virus quarantine.

I have removed https://www.securiteinfo.com/get/signatures/X_your_key_here_X/spam_marketing.ndb from my freshclam.conf and will know shortly if that helps.

I'm curious, though, if there is a way to have ClamAV mark messages identified as matching https://www.securiteinfo.com/get/signatures/X_your_key_here_X/spam_marketing.ndb definitions not as infected with a virus, where SmarterMail will quarantine or delete them, but instead mark it in a way as that it could be processed against Antispam rules.  If ClamAV could modify the message and inject a header, then Settings -> Antispam -> Spam Checks could look for that header and assign a weight to it and I could use these SPAM definitions in ClamAV to find and detect Junk.  Since detecting here blocks the message and some of our accounts have Junk Mail filtering disabled completely, I cannot use these in their current form.

Dave

0
Thu Nguyen Replied
I did tried with Cyren and Message sniffer, same result :(
0
Today after 20 days of ESET test I will remove this software...

Over 400.000 mail scanned, not a single virus found.

Cyren Zero Hour find 2-20 virus per day
ClamAV with SecureInfo definition find about 30-40 virus per day


Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
1
Manuel Martins Replied
Hi,

I'm using Kaspersky Endpoint Security

"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.com" SCAN %filepath  /R:C:\VirusReport\ReportScan.txt
2
Ben Kiser Replied
Since adding the SecureInfo definitions to ClamAV the viruses caught has gone way up.  In the past week Cyren has caught 5, ClamAV has caught 90.  I would highly recommend anyone to use their definitions.
0
BMark Replied
HI Manuel Martins,
are you getting along well with Kaspersky?
Did you do any particular configurations?

Thank you very much

Mark
1
Manuel Martins Replied
Hi Mark,

Yes, for now i think its more efficient than Clam and Cyren together.

Just install KES with minimum settings, no firewall, no network treath, no email check, etc..
After install you may disable "File Threat" for the disk drive where you have Smartermail Domains not to harm Smartertools perfomance.

Smartermails Delivery Delay must be at least 30-40 secounds for the Antivirus to act.

Now i'm using this command to check Smartertools Spool files, 

"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.com" SCAN %filepath  /i4 /R:Z:\VirusReport\ReportScan%date:~6,4%%date:~3,2%%date:~0,2%.txt

The "/i4" option deletes the file in case of infection detected ( no desinfection ). 

The "/R" option generates a .TXT report file per day.
0
BMark Replied
HI Manuel Martins, 

Thank you for your response and experience with Kaspersky

I also have another question: using an external antivirus, when a virus is detected a notification is sent to the sender and recipient?
0
Manuel Martins Replied
Hi Mark, 

Sorry but No. 

And I think that neither Clam neither Cyren do that kind of action...
0
BMark Replied
Hi Manuel ,
through the SM "events" it is possible to set the sending of the notification in case of virus detection, but I think it works only with Clam the entry "virus detected".
Anyone know?
0
Manuel Martins Replied
Hi,

I'm glad to annouce that after update our server to Build 7593 at 2 days ago, now Clam efficiency has improved a lot.!



Reply to Thread