Page 1 of 5 123 ... LastLast
Results 1 to 10 of 46

Thread: Is AntiVirus really working?

  1. #1
    SiliconJunkie is offline Loyal Member
    Join Date
    May 2008
    Location
    Tallahassee, Florida
    Posts
    89
    Rep Power
    7

    Exclamation Is AntiVirus really working?

    For the past two days, messages with FakeAlert in an attachment have gotten past antivirus and placed into the Spam/Junk folder in mailboxes. AVG on individual workstations detects the threat and locks down Zimbra Desktop or Outlook application from sync-ing new mail from the mailbox.

    Users are having to open their mailbox via the web mail interface, and manually delete the infected message from the Spam/Junk folder before their regular mail client (ZD or Outlook with ZCO) will re-sync with the server.

    What can we do to combat this threat?

    My setup: ZCS 5.0.18 GA Network Edition on Ubuntu Server 6.06 LTS w/ ClamAV 0.95.1

    Definitions are seeming to be updated every two hours, according to clamd.log in /opt/zimbra/log/clamd.log.

  2. #2
    bluezebra is offline Trained Alumni
    Join Date
    Sep 2009
    Posts
    18
    Rep Power
    5

    Default

    check zmcontrol status and see if your antivirus and antispam are running

  3. #3
    SiliconJunkie is offline Loyal Member
    Join Date
    May 2008
    Location
    Tallahassee, Florida
    Posts
    89
    Rep Power
    7

    Default

    That was the first thing I did, and yes, it is running.

  4. #4
    bluezebra is offline Trained Alumni
    Join Date
    Sep 2009
    Posts
    18
    Rep Power
    5

    Default

    Is this happening to all attachments? or particularly any? I had such an issue for the docx attachments which was fixed after clearing the "wmf" extension filter from amavisd.conf and postfix_header_checks

  5. #5
    SiliconJunkie is offline Loyal Member
    Join Date
    May 2008
    Location
    Tallahassee, Florida
    Posts
    89
    Rep Power
    7

    Default Virus attachments

    We got another one this morning at 8:01 EST.

    They have all been .ZIP files. The messages have all been of the "UPS Delivery Notification" variety that have a .ZIP file attachment with the virus payload.

    This is getting to be annoying. I'm thinking that the only way to deal with this short term is to add .ZIP files to the reject list, and advise users.

    FakeAlert has been around a while, how come ClamAV cannot deal with this as the messages come in at the server?

  6. #6
    Mike From Markham is offline Active Member
    Join Date
    Nov 2009
    Location
    Markham, Ontario Canada
    Posts
    35
    Rep Power
    5

    Default

    omg I just had this exact same thing happen 2 days ago as well. Avg completly locked zimbra desktop after finding a thraet in something like /store/0/1/... Now zimbra desktop is completly locked for one of my users as avg "healed" the file... I'm guessing I'll have to blow away the profile and re-add it again

  7. #7
    SiliconJunkie is offline Loyal Member
    Join Date
    May 2008
    Location
    Tallahassee, Florida
    Posts
    89
    Rep Power
    7

    Default

    Yeah, this is a real problem, and I wish someone from Zimbra would comment, or offer some insight on this. I'm about to burn a support ticket on it.

  8. #8
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Check to make sure your clamd definitions are indeed up to date. I get plenty of those ones through and all blocked
    Subject: UPS Delivery Problem NR 59926.
    MessageID: DEA76398839F.A90C0
    Quarantine:
    Report: Clamd: UPS_invoice_528.zip was infected: Suspect.Bredozip-zippwd-5
    Sophos: >>> Virus 'Mal/FakeAV-BW' found in file ./DEA76398839F.A90C0/UPS_invoice_528.zip/UPS_invoice_528.exe
    Sophos: >>> Virus 'Troj/BredoZp-S' found in file ./DEA76398839F.A90C0/UPS_invoice_528.zip
    F-Prot6: [Found virus] <W32/Bredolab!Generic2 (not disinfectable)> ./DEA76398839F.A90C0/UPS_invoice_528.zip->UPS_invoice_528.exe
    Sophos: >>> Virus 'Mal/FakeAV-BW' found in file ./DEA76398839F.A90C0/UPS_invoice_528.exe
    F-Prot6: [Found virus] <W32/Bredolab!Generic2> ./DEA76398839F.A90C0/UPS_invoice_528.exe

  9. #9
    Mike From Markham is offline Active Member
    Join Date
    Nov 2009
    Location
    Markham, Ontario Canada
    Posts
    35
    Rep Power
    5

    Default

    Stupid question but how do you infact check if definitions are up to date or not...

  10. #10
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Code:
    su - zimbra
    view /opt/zimbra/log/freshclam.log
    Check that it has been updated recently.

Page 1 of 5 123 ... LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 5
    Last Post: 05-28-2009, 12:53 AM
  2. [SOLVED] antivirus and antispam not working
    By ay4you in forum Installation
    Replies: 3
    Last Post: 06-24-2008, 04:03 AM
  3. AntiVirus won't run - error accessing mail queues
    By mrambo3501 in forum Administrators
    Replies: 2
    Last Post: 07-25-2007, 08:45 AM
  4. Zimbra stoped working overnight
    By vlskip in forum Installation
    Replies: 32
    Last Post: 03-07-2006, 01:52 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •