Second AV scanner - ORF Forums

Second AV scanner RSS Back to forum

1

We have been an ORF customer for a long time and recently upgraded to Fusion for our company exchange server. We have the add on for ClamAV but I am interested in a second AV scanner.

I know it will increase load and could be considered overkill - but different viruses are caught sometimes more quikcly by one vendor than another. We already block tons of attacments and do not permit specific zipped file types.

Anyone using AVG with Fusion? Which version of AVG?

Vamsoft hasnt updated much of their add-on info in years... some stuff is still dated 2005.

by steve.mills 4 years ago
2

@steve.mills: A common misconception is that if you setup an anti-virus software on the server, it should also be added to ORF as an External Agent. That is not always the case:

The External Agent feature creates a copy of an incoming email and places it in a specified directory in EML format. You can call a command line executable to scan the EML file, and configure ORF to either tag, redirect, reject or allow through the original email, based on the exit code returned by the command line executable. When the test is finished, the EML file is removed from the file system (deleted).

If the AV of your choice has an email filtering component which monitors the email flow (running as a service for example), it is not required to add the command line scanner executable of said AV as an External Agent to ORF. Calling the command line scanner every time an email arrives probably has a larger footprint than running the service (plus running both in parallel puts an extra load on the server), and the External Agent feature has some limitations (you cannot disinfect or remove email attachments, it filters incoming emails only).

Long story short: DO setup the AVG as an External Agent if your edition is not capable of monitoring the email flow on the fly, and you want ORF to handle things based on the exit code returned by the command line scanner of AVG.

DO NOT set it up if your AVG edition* includes an email filtering component, monitoring emails (incoming/outgoing/internal alike) and provides finer control over infected emails.

*(I am not really familiar with AVG, but according to their website, this feature is included in the 'Internet Security Business Edition' only.)

As for the AVG External Agent definition, I updated it slightly (some exit codes and parameters were removed) according to these documents:

http://www.avg.com/eu-en/faq.num-3604
http://www.avg.com/eu-en/faq.num-3511

It has not been uploaded to vamsoft.com yet (will do that shortly), so here is a Dropbox link: https://www.dropbox.com/s/z00ai2swqaa3r1q/avg.zip?dl=0

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)

3

@Krisztián Fekete (Vamsoft): Thanks for the reply. We are using ClamAV and we can and do scan attachments. Clam also blocks extensions we have specificed in attachments (ZIP\RAR) even if they are not viruses.

(Example photo.jpeg.exe or document.exe would be rejected in a zipped\rar)

What I am asking is if anyone is using 2 external agents for 2 layers of protection... Like Clam and also AVG. (I am not fond of AVG or any other... but knew they had command line capability)

I know it is creating additional load - but the virus variants are out there and they are sometimes not picked up by one AV but they are by another. So 2 layers could be better than one. For small shops with only a few thousand emaisl a day the load woudl be minimal.

Thanks for your reply... Let me know your thouhts on the above.

by steve.mills 4 years ago
(in reply to this post)

4

@steve.mills: what I meant is that while External Agents are capable of scanning attachments and report if they are infected, you cannot disinfect or strip them using ORF based on the exit code returned (only tag, redirect or drop the entire email), opposed to resident anti-virus scanner services which also allow disinfection and quarantine.

As for running multiple AV engines as External Agents: there should not be any problems with that performance-wise, if your incoming email traffic is relatively low.

by Krisztián Fekete (Vamsoft) 4 years ago
(in reply to this post)

5

Dear KrisztiƔn,

May I kinly ask you to publish an updated parameter string for a new AVG version as soon as https://www.dropbox.com/s/z00ai2swqaa3r1q/avg.zip?dl=0 is not available.
Thank you very much in advance!
KR
Alexey

by mikhail.kurbatov 4 years ago
6

Steve,

You may not need to double-up your AV scanning on the ORF server itself. There are other layers where additional AV scanning could be done:

- Cloud service (if you use a cloud service as your initial MX destination they may offer that option. I suspect though that most of us ORF users are not using a cloud service since we want to handle this ourselves, keeping the data in-house)
- Router/Firewall (our router uses the Wildlist for current top threats to scan the SMTP stream locally, or it has the option to send attachments to the vendor's cloud service for scanning on the fly)
- Exchange add-ons (possibly on the Edge server, possibly on the Mailbox server)
- Desktop software (ex. McAfee VirusScan or any other major vendor)

If you look over all your options you may be able to easily get the double scanning you want by considering other layers.

Sam

by Sam Russo 4 years ago
7

@mikhail.kurbatov: Hello Alexey,

I have updated the AVG External Agent definition for you. You can download it from here: https://www.dropbox.com/s/k1a27o5ps5gom74/avg.zip?dl=0

Should you be interested in creating your own definitions, have a look at this guide: http://blog.vamsoft.com/2009/08/07/tales-from-tech-support-part-3-creating-external-agent-definitions/

by Daniel Novak (Vamsoft) 4 years ago
(in reply to this post)

8

@Daniel Novak (Vamsoft): Dear Daniel,

Thank you very much for update!

Kind regards,

by AlexeyVV 4 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2