Virus in Email attachments
we will bet getting lot of emails with virus attachments like invoice.doc, UPS invoice.doc. we installed ClamAV Antivirus and scan the server every week.
Virus will be detected and destroyed in server. But i would like to know, any cpanel plugin or any software which can help us in scanning attachments, removing virus URL's/ attachments from the email before it reaches user mailbox.
-
Hello, There is a setting within the exim configuration manager which will Automatically filter messages with dangerous attachments - the specific attachments that are filtered are listed as follows: /usr/local/cpanel/etc/exim/sysfilter/options/attachments grep "header_content-type" /usr/local/cpanel/etc/exim/sysfilter/options/attachments if $header_content-type: matches "(?:file)?name=(\"[^\">+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")" if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))([\\\\s;]|\\$)"
If you need a realtime scanner you may want to look at products like ConfigServer's MailScanner, one of the several listed here:cPanel App Catalog :: Security0 -
Mailscanner does a half decent job, but it's not free. Also, it's only as good and ClamAV's signatures, so it's not infallible. I have 3 lines of defence, ClamAV on the server, a Watchguard Firewall and Norton AV on the clients, but it still takes common sense and vigilance. 0 -
ClamAV should be able to scan incoming (and outgoing if you have switched it on) messages in real time PROVIDED that you are using the maildir mailbox format. If you are using the mbox mailbox format, you may need to implement significantly more complex solutions using doveadm tools and commands for real time scanning. Please see Configure ClamAV Scanner - Version 84 Documentation - cPanel Documentation for full details and instructions as to how to implement the service. 0 -
ClamAV doesn't do real-time scanning out of the box, it takes some configuration - they do give instructions for this in their documentation here: This is a fairly new feature though, which is why originally products like mailscanner were leveraged to allow for real time scanning using ClamAV. You'll also find that a lot of malware detection tools use ClamAV's virus signatures - LMD does as well. 0 -
You're right - I'm getting standard ClamAV implementation mixed up with ours. We do integrate ClamAV scanning on inbound mail: If you wanted to set that up manually you'd have to do it the way I suggested but it shouldn't really be any different as the virus database is the same. One thing to check would be to ensure that Allow mail delivery if malware scanner fails is off if you want to force mail to be scanned - in the event that ClamAV fails to scan an email you won't be notified when utilizing it through the exim configuration. 0 -
One consideration is that ClamAV has never been particularly swift in publishing rules for zero day exploits. To that end, given that the scan done on exim receiving a mail may well initially pass the mail as being free from viruses, it is important to implement a eg daily scheduled scan, that will have another look at any mails residing in your maildir folders and will make use of any updated virus definitions. See Configure ClamAV Scanner - Version 84 Documentation - cPanel Documentation for full details. 0 -
We noticing a rise on these .doc virus issues. We already use configmailscanner and scan outgoing email aswell. Clamav does not seem to pic it up very well but eset does though. We may switch all servers over to it just for this reason unless we can find a way of adding better signatures for this 0 -
We noticing a rise on these .doc virus issues. We already use configmailscanner and scan outgoing email aswell. Clamav does not seem to pic it up very well but eset does though. We may switch all servers over to it just for this reason unless we can find a way of adding better signatures for this
i've notice the same thing here. .doc malware is spreading. any chance you were able to get rid of it?0 -
Hi Yes I did. Our system is blocking them nicely now by adding more signatures into freshclam.conf DatabaseCustomURL DatabaseCustomURL # Sanesecurity + Foxhole DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL # bofhland DatabaseCustomURL DatabaseCustomURL # Porcupine DatabaseCustomURL DatabaseCustomURL 0 -
Hi Yes I did. Our system is blocking them nicely now by adding more signatures into freshclam.conf DatabaseCustomURL DatabaseCustomURL # Sanesecurity + Foxhole DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL DatabaseCustomURL # bofhland DatabaseCustomURL DatabaseCustomURL # Porcupine DatabaseCustomURL DatabaseCustomURL
0 -
well we use config server mailscanner which seems to be blocking incoming and outgoing viruses with .doc attachment that are infected very well. 0
Please sign in to leave a comment.
Comments
12 comments