22
Integrated Antivirus SmarterMail
Idea shared by BMark - 11/19/2020 at 8:56 AM
Completed
Hi,

I would like to propose an idea about the antivirus:
since Microsoft Defender Antivirus has been much improved and is natively implemented on the latest versions of the Windows Server OS, would it be possible to include it as an "integrated antivirus" system on SmartMail (together with Clam)?

Also having a lot of contact with Microsoft technicians for the MAPI talk, I think the integration and functionality with SM is not complicated.

This antivirus seems to be very performing and constantly updated, from the last tests it has received a lot of appreciation.
It is also integrated to the new Windows Server 2016/2019.

What do you think?

Thanks
Mark

35 Replies

Reply to Thread
0
+1
14
Matt Petty Replied
Employee Post
Hmm interesting idea. Did a little research on technologies.

https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal?redirectedfrom=MSDN
https://www.meziantou.net/using-windows-antimalware-scan-interface-in-dotnet.htm
Seems like a pretty easy way to add another virus scanning option.
+1, I'll keep an eye on this and mention it.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
2
Thanks Matt !! :)
4
Just want to added my thought this would be an immensely useful feature. I am finding ClamAV to be increasingly unreliable with too many false positives. A simple alternative would make SmarterMail even more valuable!
1
Yeah, ClamAV has always been trash, even with 3rd party DBs, it's just a horrible AV (better than nothing I guess though). Uses a ton of resources and has pretty poor performance.
0
+1

Great idea!

0
+100
1
I'm using this thread to get rid of some frustration. Again and again I read about useful ideas or questions on topics that concern all administrators. Especially the topics security, anti-virus and anti-spam(!) are things that concern everyone. Often there is an answer like in this thread, which gives hope (yes, good idea / we'll look into it / we're working on it / seems easy to do / etc.). But unfortunately it often stays like that and nothing happens anymore!

I am SmarterMail server operator for many years, but no professional in this world (my main business are Apple computers). That's exactly why I would like it very much if SmarterTools would really respond to such ideas or problems and offer practical solutions. Almost every customer could benefit from this. But that's the problem: Often only the frustration remains, because a thread finally remains unanswered.

@Matt Petty: Why is there no answer for months, when it should be "pretty easy"?

But it is the same in many other threads. Therefore my please and call to the SmarterTools team: Offer tangible solutions, incl. instructions how to implement it. Only this will help us all.

I know that the SmarterTools team is good and competent, because they have helped me a lot with support requests.

Thank you!

PS: But the best tool is only as good as you know how to use it.
0
+1
1
3
Matt Petty Replied
Employee Post
@Dave, I'm sorry I've been busy making searches and indexing faster (and more accurate), mailbox access quicker and more resilient for other languages, we're upgrading protocol versions, adding support for more than 2gb a day for a folder, among a large pile of bugs. We're busy, and we already "integrate" clamav, I'd use command line AV while you wait, I'm sure it can be worked into using that mechanism. Sorry if it seems like we're doing nothing right now, but there is a lot more fish to fry. I simply said it would be pretty easy and was a good idea, I never said we'd do it right then.

PS, someone posted a guide here a while back to make ClamAV more useful by providing it your own signature sources. I think Securite? or something like that, maybe you could try configuring ClamAV with more signatures.

Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
@Matt, I am fully aware that you have many other tasks to solve. I appreciate your work and the product very much! I just wanted to point out that there are often such threads where topics are taken up, but then unfortunately "forgotten" again. After a while, you subjectively get the feeling that nothing is happening, which is of course wrong. Thank you!
0
Has anyone tried how to download additional signatures from
https://www.securiteinfo.com/services/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml

Also has anyone tried to use command line windows defender?
4
Hi you all,

Here is a .BAT script that i build using Microsoft Defender Antivirus that you can invoce in SM Command Line Antivirus or in SM Spool Command Line file with "C:\virusscan.bat %FILEPATH"

you need to create 2 folders :

C:\Viruses\                to Store Infected files for future checking
C:\VirusReport\         to Store Debug Files


C:\virusscan.bat

echo # >> C:\VirusReport\ReportScanDebug%date:~6,4%%date:~3,2%%date:~0,2%.txt
echo # %time% >> C:\VirusReport\ReportScanDebug%date:~6,4%%date:~3,2%%date:~0,2%.txt
call "C:\program files\windows defender\mpcmdrun.exe" -Scan -ScanType 3 -File %1 -DisableRemediation >> C:\VirusReport\ReportScanDebug%date:~6,4%%date:~3,2%%date:~0,2%.txt
IF ERRORLEVEL 0 GOTO CLEAN

@REM echo Virus Found
move %1 C:\Viruses
echo # >> C:\VirusReport\ReportScanVirus%date:~6,4%%date:~3,2%%date:~0,2%.txt
echo #VIRUS - %time% - %1 >> C:\VirusReport\ReportScanVirus%date:~6,4%%date:~3,2%%date:~0,2%.txt
GOTO END

:CLEAN
@REM echo File Clean
echo #CLEAN - %time% - %1 >> C:\VirusReport\ReportScanClean%date:~6,4%%date:~3,2%%date:~0,2%.txt

:END  



0
Xabaras,

I am using the definitions and they seem to work well. I do have some false positives I cannot figure out how to whitelist.

My biggest senders I have issues with: usbank.com, delta.com, southwest.com, hilton.com, and a few others, one is a customer's franchise email. The reason they get flagged is because "Heuristics.Phishing.Email.SpoofedDomain".

Overall it has helped.
0
I am using SECURITEINFO definitions and it seems to me ClavAV with those definitions works very well
0
I just a got a response from SECURITEINFO, and they told me to add the following line to clamd.conf: PhishingScanURLs no

I am going to see how this works throughout the day.

Also forgot I had added these to my freshclam, if anyone sees one that looks like trouble let me know. ;)

freshclam.conf add-ons

# Reference for the following: https://forum.iredmail.org/topic12749-iredmail-support-tutorial-increasing-clamav-effectiveness.html
# winnow
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware_links.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_extended_malware.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow.attachments.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_bad_cw.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware.hdb

# Malware.expert
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malware.expert.hdb

# bofhland
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb

# Porcupine
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/phishtank.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.hsb

# from proxmox
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sigwhitelist.ign2
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sanesecurity.ftm
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/junk.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/jurlbl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/phish.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/rogue.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/scam.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamimg.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamattach.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/blurl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malwarehash.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/hackingteam.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/crdfam.clamav.hdb


0
SANESECURITY is different from SECURITEINFO...

Are you using them both?

I find out that SANESECURITY is not effective (or at least it seems to me), so I use only SECURITEINFO
0
I have not had time to test both but I do stop a lot of viruses.

One day I will verify the sanesecurity are up to date.

Need to take the time and search the logs for sansecurity versus securieinfo in my delivery logs.
0
Is there any one who tried to use windows defender command line antivirus. Can you please tell me the main purpose of this antivirus? 
0
Are the free and paid ones both provide same security? And is there any security plugin for sites like novel reading
0
I see this was just added in the new version, fantastic :)

One thing I recommend is you additionally create a daily scheduled task to run :
C:\Program Files\Windows Defender\MpCmdRun.exe -SignatureUpdate

This will keep the signatures up to date without needing to use Windows Automatic Updates.
0
So far so good, server memory usage down by almost 1GB :D

One further idea is for emails that get caught (and moved to the virus quarantine pool) have a header added with further information. With Clam I could look in the log files, but with the new Defender implementation there doesn't seem to be a way to do so.

I'm looking at an email now in quarantine but it seems fine (perhaps an attachment was already stripped) - so it would be nice to know what it's there :)
2
I also just noticed this added to the latest version of SM. Very glad to see a different AV option and looking forward to testing it out.
3
I wanted to thank all the Smartertools staff and technicians for the implementation of the Windows Defender antivirus and the scan now complete as per my proposal!
It seems to me that everything is working great, so thank you very much for the great work!
Happy! :)
2
Ditto on BMark's comment. My only question is how exactly can we verify it's working? We see no quarantined messages in 3 days, which is a bit unusual.

Again, kudos to SM for implementing this request!
3
Matt Petty Replied
Employee Post
The delivery log will show either
This message has been deleted because a virus was found by (ClamAV or Windows Defender, Etc)
This message has been quarantined because a virus was found by (ClamAV or Windows Defender, Etc)
The administrative log will also show, shows here if it's scanning the spool or uploaded attachments or files.
Malware was found while scanning with Windows Defender. Source: XXX Name: XXXX File: XXXXX
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Matt Petty Replied
Employee Post
I've also noticed the things it finds will also work their way into the Windows' Defender GUI, the "Windows Security" dialog that shows threats that are found by Defender.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
This is becoming a long thread.

Is this saying Windows Defender can scan emails in real-time or just scanning the emails as they sit in the mailbox?

If this is scanning in real-time as emails come in how do the signatures seem to be in regards to blocking compared to Clam and the extra signatures?

Are there instructions to use Windows Defender versus Clam?
2
Matt Petty Replied
Employee Post
"Scan Messages" will scan any message while it's in the spool, same as ClamAV.
"Scan Files" is new and was added to both ClamAV and Windows Defender.
"Files" are any attachments uploaded to the compose window on webmail, any files put into File Storage, any files sent through Team Workspaces, or through XMPP chat. Scan files will simply fail that upload, if they drag and drop a virus into the compose window, they get a red toast saying "Malware was found in XXXX" and the administrative log will get a log entry.

"scanning the emails as they sit in the mailbox" We've batted an idea around giving admins a tool or something they can run on a domain that checks all current File storage files and all mail but this was not done. If this idea seems interesting, could make a new post/feature request asking for it.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Ah yes, found it:

[2021.05.14] 08:44:08.003 [25469081] This message has been quarantined because a virus was found by Windows Defender. Virus: (Unknown).
Well that was useful, haha.

Also that's been the only one caught since the 14th (which is also reflected in the Virus Report Chart) - I used to get on average 30 something a day...
0
Yeah, same here, all the ones it is catching are all "Unknown".
0
Matt Petty Replied
Employee Post
Yea unfortunately only ClamAV reports back what it found, Defender's AMSI interface only reports "not malware", "is malware", and "is clean".
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matt Petty Replied
Employee Post
However, checking your "Windows Security" GUI it will likely tell you, I noticed things scanned and found my SM will appear in this System dialog.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
3
Just wanted to chime in here and say that Windows Defender is catching a good amount of junk for us.

Thank you!

Reply to Thread