efa-project.org

In addition of clamwin you can install also Sophos free and detection have a great ehnancement :

STEPS :

1) Make executable /tmp file system :
vi /etc/fstab
Duplicate, asterisk and change /tmp line to temporarly remove noexec option like below
#/dev/mapper/vg_00-lv_tmp /tmp ext4 nosuid,noexec,noatime 1 2
/dev/mapper/vg_00-lv_tmp /tmp ext4 noatime 1 2

2) Download sophos and put in your /root dir
You can use this link
https://secure2.sophos.com/it-it/produc ... nload.aspx

3) Install
Using the guide that you can download in same page you can install in few steps
Ensure to not turn on the system scanner

4) Add in MailScanner
vi /etc/MailScanner/MailScanner.conf
Line :
Virus Scanners = clamd sophos

5)
Restart and enjoy

Recommend setting no exec bit back on /tmp, just fyi

Hi,

I installed Sophos in addition of existing clamAV with your instruction and all work perfectly!

A weird thing since installation, I receive a mail message like this whenever an infected email is detected by Sophos:


[SAV-LINUX] Threat detected during on-demand scan on server.domain.com
A threat was detected during an on-demand scan. Details follow:
3 files scanned.
Number of infections detected: 1
Number of infected files detected: 1
/var/spool/MailScanner/incoming/8730/CD8E410059D.AF62D/nmsg-8730-1.html is infected with W32/Chir-B.


What I need to do to disable this notification?

Thanks!

Jeff

I think I found the solution!

http://tw.sophos.com/sophos/docs/eng/ma ... _umeng.pdf

Turn on-demand email alerts off
By default, Sophos Anti-Virus emails the summary of an on-demand scan if, and only if, the scan
detects viruses.

To turn off the emailing of an on-demand scan summary if viruses are detected, type:
/opt/sophos-av/bin/savconfig set EmailDemandSummaryIfThreat disabled


So, wait and see!

when installing Sophos the easy way to make /tmp executable: ( without fstab changes)

mount -o remount exec /tmp

and to restore the non exec situation :

mount -o remount /tmp

Hi,

what is that "make a filesystem executable" all about?
I never did that before for anything?

Thx
akl

it is a way to protect tmp from execution

Hi,

thank you for the instructions, but we run into trouble after installing sophos as mention above.
After efa restart we got an error in line 565 of /etc/unbound/unbound.conf and the service didn't start. Therefore no more mails arrived to our mailserver.
So we went back to our latest VMware snapshot (before sophos install) and everything works well again.

Any suggestions.

Thanx!

Daniel

the obvious question is, what was wrong on line 565 of your configuration file?

without knowing what was in the file, it'd be very difficult for a third party to diagnose it.

I Installed Sophos in 3.0.0.7 and upgraded in 3.0.0.8
Now i reinstalled in a new fresh 3.0.0.9
I have no problem

I suggest so :

Install a fresh 3.0.0.9 that is perfect version, it have the most stable Centos version
3.0.0.9 have TXREP, with TXREP I have no more false positive without affecting spam detection

With a fresh install you have a perfect functional Clam Antivirus with unofficial extension

Then you must install the only antivirus that works without system modification

Fprot6
Sophos

When you install it you must be careful and specify to not activate automatic system scan of filesystem because you need to use it only to be invoked by MailScanner to scan incoming email files
You also need to modify MailScanner line to invoke these 3 products instead of clam only.

Here my virus detection statistics :

Date Total Sophos Only Clam Only FProt Only
08/04/2016 78 72 22 56 6 0 0
07/04/2016 29 17 17 12 12 0 0
06/04/2016 46 27 27 19 19 0 0
05/04/2016 20 5 5 15 15 0 0
04/04/2016 6 5 5 1 1 0 0
03/04/2016 4 2 2 2 2 0 0
02/04/2016 20 15 15 5 5 0 0
01/04/2016 16 14 14 2 2 0 0
31/03/2016 7 3 3 4 4 0 0
30/03/2016 15 11 6 4 4 5 0
29/03/2016 285 285 167 0 0 118 0


For example 08/04 i found 78 incomingi viruses, Sophos detected 72, 22 was detected by sophos only, Clam detected 56 and 6 only by clam, fprot 0
So if you want you can not install Fprot, but i suggest to install sophos, as you can see

Any specific instructions on how to install and where to find Fprot6?

###edit###
seems older and f-prot.com doesn't have a download link. I guess I'll skip it

Sometimes also Fpprot catch some virus
Updates are regular, installation is simple and sure, so I use it

Where did you get the free version from?
All 3 versions I can find are commercial:
http://www.cyren.com/f-prot-antivirus-f ... rvers.html
http://www.cyren.com/f-prot-antivirus-f ... tions.html
http://www.cyren.com/f-prot-antivirus-f ... rvers.html

or are you using a commercial one? If that is the case, please excuse my blonde moment.

Thank you! Weirdly enough it is not lsited on the overview page for home users: http://www.f-prot.com/download/home_user/

I think I am going to sit this one out:

in first step you must mane /tmp executable fron /etc/fstab

thanks but that didn't help with the license problem I posted above

###edit###
where did you place fprot? I put it into root while installing but it seems it needs a "permanent" place like /opt?

at first time remove noexec option from /tmp in /etc/fstab and reboot
(at the end replace it)

download pachage, unpack and put under /opt

and do install-f-prot.pl



insert entry in MailScanner configuration to use it

under /opt/f-prot there is license.key
i dont remember how i have it but i think that is retrieved during install

sav-linux installed and working on 3.0.0.8.
/tmp did not have enough space so created /install and put the download and the extraction in there. After installation, rm -rf /install

Thanks for the great information!!!

Mark

The first thing that I do when install a new efa box is enlarge space

Very useful information.

Here's a possible gotcha.

I receive a lot of messages with Chinese language filenames. Sophos AV has trouble with these filenames and calls the attachments "viruses" even though it is not.

Basically, if Sophos cannot access the filename, it gives up and errs on the side of caution. I think I'll have to disable Sophos because of this as I cannot afford to check every day to find out what legitimate files Sophos is blocking.

Example:
Sophos: Could not check ./00D30180490.AF1A6/�永-天����港IPO��约�书 (corrupt)
Sophos: Could not check ./00D30180490.AF1A6/�永-天����港IPO��约�书 (corrupt)

The actual filenames in the queue directory are:
-rw-rw---- 1 postfix mtagroup 375411 Aug 29 17:57 %D6%D0%BD%E9%CE%AF%CD%D0%D0%AD%D2%E920.rar
-rw-rw---- 1 postfix mtagroup 518325 Aug 29 17:57 message
-rw-rw---- 1 postfix mtagroup 236594 Aug 29 17:57 安永-天立教育香港IPO业务约定书
which are well formatted UTF8 filenames.

I've never received any attachments with a completely foreign locale, could this be made to work if you install the correct locales on the EFA system?