hMailServer 5.4 + Symantec Endpoint Protection 12.1

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

hMailServer 5.4 + Symantec Endpoint Protection 12.1

Post by gruenie » 2014-01-23 17:12

Hi to all,

is someone there who got Symantec Endpoint Protection 12.1 and hMailServer up and running as an integrated "external" virus-scanner?

In older versions of SEP it worked with using the file "vpscan.exe" together with a little batch-file, but "vpscan.exe" is calling the "rtvscan.exe" which is removed from SEP since version 12.
The other possibility would be to use the Symantec-tool "doscan.exe" but I have not been successful with it.
The main problem is that these tools delete an infected file/mail completely (the same what the auto-protection is doing) so that the sender and/or receiver will not be informed about the mail.

So are there any ideas or experiences?

By the way:
If there is someone who has problems in sending emails in the following configuration:
Windows 7 x64, SEP SMB 12.1 (newest version) and hMailServer 5.4 - Build 1950 ,

you should read the tread: http://www.hmailserver.com/forum/viewto ... =6&t=25912

Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Post by Bill48105 » 2014-01-23 17:33

I already replied on your other post so will just copy here:
if it gives command-line scanner & known result codes it should be possible. Understand though that except for very low usage servers command-line scanners are normally a bad idea since they usually cause very heavy load & memory usage when they start up & load defs. Multiple that by however many concurrent SMTP sessions you allow & can bring server to its knees. Now if it is client/server based like clamd+clamc, or database-based doing queries vs loading defs then it might not be so bad. Best option on server is likely ClamD with the ClamC client built into hmail.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Post by gruenie » 2014-01-23 23:15

Hi again, Bill,

Symantec Endpoint Protection offers a tool called doscan.exe which you can use as an comman-line scanner too.
But I have no idea if and which return codes are provided.
But the answer would not help very much because the tool is deleting all infected files/mails completely. This is the same what the auto-protect part of SEP is doing. What I want is that just the infected attachment should be deleted and the receiver/sender get an informaion.
Just to delete infected emails completely I do not need to implement SEP inside the hMailServer.

Nevertheless I understand your argumentation against command-line scanners at all.

But what are clamC and clamD? Do you speak about clamwin and clamAV?

Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Post by Bill48105 » 2014-01-24 00:25

It is NOT the same thing since background scanner does it at file system level & screws with programs especially servers that are not expecting files to be in-use or delayed reads or being deleted. At least with a command-line scanner it is ON HMAIL'S TERMS meaning hmail requests the scan & the scanner returns a result to hmail to act on & know what happened vs rug being pulled out. If live AV deletes a file hmail will log errors saying the file is missing & send a replacement file to either person downloading mail or to the sender as a bounce.

To use it you'd need to research & find the result codes. Doesn't it tell you some if you do /? or /help? or no options? There docs for it? If all else fails you can call the scanner from a batch file & echo the result when you scan known files (one clean, one infected etc)

ClamD is DAEMON as in server. ClamC is the command-line scanner for ClamD. ClamC could be called from hmail but no need as hmail 5.4 has ClamC client built in on ClamAV tab. (It's obvious which it is since it asks for IP & port for the ClamD server). ClamD, ClamC, ClamAV & ClamWin are all the same in they are CLAM but they are all quite different in how they work & what they are used for. DO NOT use ClamWin or ClamAV command line versions with hmail unless you want problems. The reasons have been discussed many times in the forums.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Post by gruenie » 2014-01-24 00:45

Hi Bill,
thanx for the explanations.
I wasn't successful in using the tool "doscan.exe" of Symantec Endpoint Protection 12.1. Maybe I did not do it in the right way but I always got an return code of "0".
Furthermore it calls the "ccSvcHst.exe" which deletes the completely infected email and not just the infected attachment. That was what I mean.

But if someone can advice me a better and useable way to use the SEP I will be very thankful.

At the moment I'm trying the clamWin-virus-scanner called from the AntiVirus-Feature of hMailServer.
Don't you think that it is agood idea or did I misunderstand you?

At the moment I'm usiing it together with SEP on the same machine (I know its not a good idea to use 2 virus-scanners on the same machine.
I tols SEP not to scan the hMailServer-directory and the database and let do it clamWin. Clamwin I told not to delete any infected files. The completely file-system (w/o hMS) is so covered by SEP and clamwin does not delete any files but works together with hMS for the email-system.

What do you think about that?
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Post by Bill48105 » 2014-01-24 00:57

Not sure any AV scanner can delete just attachments. hmail can if you set the option to delete attachment vs email in AV section.

I would NOT use clamwin. You are asking for problems. You want ClamD (note the D vs Win) then you set it up on ClamAV tab NOT ClamWIN tab and not the External AV tab.

it is good you excluded hmailserver folder/tree but av running can still cause problems. YOu've been warned. :)
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Post by gruenie » 2014-01-24 02:25

Ok, ok, ok! :-)

So whats the best HowTo and the easiest way downloading and setting up clamD for an Windows Server 2008 R2 (x64) according to your opinion. I found endless ideas instructions and opinions and have no idea which is the best.
I'm thankful for an advice!

Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Post by Bill48105 » 2014-01-24 04:45

gruenie wrote:Ok, ok, ok! :-)

So whats the best HowTo and the easiest way downloading and setting up clamD for an Windows Server 2008 R2 (x64) according to your opinion. I found endless ideas instructions and opinions and have no idea which is the best.
I'm thankful for an advice!

Gruenie
Personally I think the best option is to setup nix (like centos or whatever flavor you are comfortable with) even in a virtual machine mostly because windows clam has been hit or miss at times but there are some how-to's on here just a matter of finding the recent ones as some windows ports are dead or not updated anymore. It's been forever since I've tried any of them but here are a few to look at & compare:
http://www.hmailserver.com/forum/viewto ... 12&t=21500
http://www.hmailserver.com/forum/viewto ... 81#p154081
http://www.othworld.info/2013/03/howtow ... erver.html

Or if you are comfortable going the nix route let me know & I'll post my steps or find how-to.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Post by gruenie » 2014-01-24 10:39

Personally I think the best option is to setup nix (like centos or whatever flavor you are comfortable with) even in a virtual machine mostly because windows clam has been hit or miss at times but there are some how-to's on here just a matter of finding the recent ones as some windows ports are dead or not updated anymore. It's been forever since I've tried any of them but here are a few to look at & compare:
viewtopic.php?f=12&t=21500
viewtopic.php?p=154081#p154081
http://www.othworld.info/2013/03/howtow ... erver.html

Or if you are comfortable going the nix route let me know & I'll post my steps or find how-to.
Bill
Hi Bill,

again many thanx for your time to bring me on the right way! ;-)
I heard about the NIX-project (if you are speaking about that antispam-system), but I'm not very familar with it; neither with Linux at all. I'm sure that could be the best way but it would probably overcharge me at the moment. 8-)
Thanx also for the links in relation to clamD/AV. When I asked you about the best HowTo etc. I haven't been too lazy to search for solutions (just want to mention it! ;-) ) because I already was reading the 3 links provided by you (and others).
But there have been so many different ways and opinions so that I have been confused which I should follow.

So from that 3 possibilities it seems that the link:
http://www.hmailserver.com/forum/viewto ... 81#p154081
is the most easy way and I will try it.
I already have installed clamWIN (as mentioned) and on this way the clamD would be concerned for the real-time-scanning of mails included in hMailServer and not clamWIN.

So do you think I should completely remoce Symantec Antivirus Endpointprotection from that machine?
At the moment I tried to divide the tasks for SEP and ClamWIN. I excluded the complete hMS-Installation and mySQL from SEP and let that do clamWIN. Now I would add clamD to do the part of realtime scanning the emails as described in the post.

What do you think - even if that might not be the very best way?

Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

User avatar
mattg
Moderator
Moderator
Posts: 21109
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Post by mattg » 2014-01-24 14:36

Bill48105 wrote:I would NOT use clamwin. You are asking for problems. You want ClamD (note the D vs Win) then you set it up on ClamAV tab NOT ClamWIN tab and not the External AV tab.
+1

Don't use ClamWIN
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Post by gruenie » 2014-01-24 16:02

Hi Mattg,

:shock: :shock: :shock: :shock: :shock:

;-)

Yes I saw that sentence of Bill before.
On the other hand he suggested me the link:
http://www.hmailserver.com/forum/viewto ... 81#p154081.

... and there is described, how to use clamWIN for taking/downloading the virus-definitions and doing some other jobs etc.
I did not have in mind to use it together with hmailserver. There I wanted to use the hMS-inside client of clamAV together with the daemon clamC.

I will wait for the answer of Bill before I start to change the things.

Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

User avatar
mattg
Moderator
Moderator
Posts: 21109
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Post by mattg » 2014-01-24 16:41

Try this thread

http://www.hmailserver.com/forum/viewto ... AV#p156316

I think I last set up clamD from the detail provided there
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Post by Bill48105 » 2014-01-24 17:20

Yeah sorry Gruenie I didn't see they used clamwin on that one post, I saw the clamd stuff in the post if you closely. They used clamd from clamwin. :) Key is you don't really want background scanning and you don't want to call a scanner than needs to spawn & load defs over & over & that's why you don't want clamwin. otherwise using clamwin WITHOUT those things should be fine. Or look at matt's link. There are like 100 posts about using clam key is do not use background scanning (or at least exclude hmail & hmail tree) and use clamD (clamav tab in hmail) NOT clamwin tab.

We really do need to fix that GUI so it's obvious which to use & not so confusing. I'd love to rename ClamAV tab to ClamC or ClamD Client and on the external & ClamWin tabs explain why not to use them.. Or remove clamwin tab entirely. :D
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Post by gruenie » 2014-01-25 02:39

Well now I uninstalled ClamWIN again, installed clamAV and clamd.exe and clamfresh.exe as windows-service and aktivated it in the clamAV-Tab. As far as I can see it works now.
I still have Symantec Endpoint Protection on the machine but excluded the entire hMailServer-installation (of course mySQL too).
Well, lets see what will happen.

Later I will installl ASSP.

If you have any additional suggestions, please let me know!

Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

Post Reply