Did Clam AV check for infected mail attachments?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
jmendiburu
New user
New user
Posts: 14
Joined: 2014-04-10 09:46

Did Clam AV check for infected mail attachments?

Post by jmendiburu » 2019-12-04 19:47

Hi,

I'm a long time hMailServer and Clam AV (Clam daemon as a service) user. Usually, I check one of my HMS accounts with GMail and everything runs fine, but from time to time, GMail warn me about some infected mail messages that can't be delivered to GMail inbox. When inspected, such mails contains infected attachments, mainly doc (docx) or xls (xlsx) documents with malicious macros. In some ocassions, those documents are inside a ZIP file.

Is it possible to have Clam AV checking for such attachments ? Should I change some configuration on clamd.conf file?

I know HMS can block attachments depending on the file extension, but I prefer to avoid this solution.

Any help would be appreciate!

Thanks!

User avatar
katip
Senior user
Senior user
Posts: 765
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Did Clam AV check for infected mail attachments?

Post by katip » 2019-12-04 21:20

it does by default IIRC. just see in clamd.conf:

Code: Select all

# ClamAV can scan within archives and compressed files.
# Default: yes
# ScanArchive yes
but don't rely on ClamAV alone. to me, without Sanesecurity it's almost useless.
a good solution is Spamassassin. trap any extension and score.
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

jmendiburu
New user
New user
Posts: 14
Joined: 2014-04-10 09:46

Re: Did Clam AV check for infected mail attachments?

Post by jmendiburu » 2019-12-09 13:43

Thank you for your answer, katip.

I'm using Clam mainly for speed in HMS, after trying several commercial alternatives without success. I'm also using DNS blacklists, SURBL servers, some experimental YARA rules for Clam and a little, non-professional, piece of software devolped using MS-Access that analyzes hmailserver_awstats.log content and generates windows firewall rules on the fly to protect the server from intruders IPs. With this mix of technologies, our server has a very good mail reputation, but macro viruses inside Office documents are giving me a lot of troubles. I've never heard about Sanesecurity signatures, so I'll give them a try and will share with you my experience.

Thank you again!

jmendiburu
New user
New user
Posts: 14
Joined: 2014-04-10 09:46

Re: Did Clam AV check for infected mail attachments?

Post by jmendiburu » 2019-12-16 13:53

katip wrote:
2019-12-04 21:20
it does by default IIRC. just see in clamd.conf:

Code: Select all

# ClamAV can scan within archives and compressed files.
# Default: yes
# ScanArchive yes
but don't rely on ClamAV alone. to me, without Sanesecurity it's almost useless.
a good solution is Spamassassin. trap any extension and score.
Hi Katip,

The experience with Sanesecurity is being very positive.

Thanks for your good advice

Cheers

User avatar
katip
Senior user
Senior user
Posts: 765
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Did Clam AV check for infected mail attachments?

Post by katip » 2019-12-16 16:05

that's good news. glad to help you...
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

Post Reply