Page 1 of 1

hMailServer 5.4 + Symantec Endpoint Protection 12.1

Posted: 2014-01-23 17:12
by gruenie
Hi to all,

is someone there who got Symantec Endpoint Protection 12.1 and hMailServer up and running as an integrated "external" virus-scanner?

In older versions of SEP it worked with using the file "vpscan.exe" together with a little batch-file, but "vpscan.exe" is calling the "rtvscan.exe" which is removed from SEP since version 12.
The other possibility would be to use the Symantec-tool "doscan.exe" but I have not been successful with it.
The main problem is that these tools delete an infected file/mail completely (the same what the auto-protection is doing) so that the sender and/or receiver will not be informed about the mail.

So are there any ideas or experiences?

By the way:
If there is someone who has problems in sending emails in the following configuration:
Windows 7 x64, SEP SMB 12.1 (newest version) and hMailServer 5.4 - Build 1950 ,

you should read the tread: http://www.hmailserver.com/forum/viewto ... =6&t=25912

Gruenie

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Posted: 2014-01-23 17:33
by Bill48105
I already replied on your other post so will just copy here:
if it gives command-line scanner & known result codes it should be possible. Understand though that except for very low usage servers command-line scanners are normally a bad idea since they usually cause very heavy load & memory usage when they start up & load defs. Multiple that by however many concurrent SMTP sessions you allow & can bring server to its knees. Now if it is client/server based like clamd+clamc, or database-based doing queries vs loading defs then it might not be so bad. Best option on server is likely ClamD with the ClamC client built into hmail.
Bill

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Posted: 2014-01-23 23:15
by gruenie
Hi again, Bill,

Symantec Endpoint Protection offers a tool called doscan.exe which you can use as an comman-line scanner too.
But I have no idea if and which return codes are provided.
But the answer would not help very much because the tool is deleting all infected files/mails completely. This is the same what the auto-protect part of SEP is doing. What I want is that just the infected attachment should be deleted and the receiver/sender get an informaion.
Just to delete infected emails completely I do not need to implement SEP inside the hMailServer.

Nevertheless I understand your argumentation against command-line scanners at all.

But what are clamC and clamD? Do you speak about clamwin and clamAV?

Gruenie

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Posted: 2014-01-24 00:25
by Bill48105
It is NOT the same thing since background scanner does it at file system level & screws with programs especially servers that are not expecting files to be in-use or delayed reads or being deleted. At least with a command-line scanner it is ON HMAIL'S TERMS meaning hmail requests the scan & the scanner returns a result to hmail to act on & know what happened vs rug being pulled out. If live AV deletes a file hmail will log errors saying the file is missing & send a replacement file to either person downloading mail or to the sender as a bounce.

To use it you'd need to research & find the result codes. Doesn't it tell you some if you do /? or /help? or no options? There docs for it? If all else fails you can call the scanner from a batch file & echo the result when you scan known files (one clean, one infected etc)

ClamD is DAEMON as in server. ClamC is the command-line scanner for ClamD. ClamC could be called from hmail but no need as hmail 5.4 has ClamC client built in on ClamAV tab. (It's obvious which it is since it asks for IP & port for the ClamD server). ClamD, ClamC, ClamAV & ClamWin are all the same in they are CLAM but they are all quite different in how they work & what they are used for. DO NOT use ClamWin or ClamAV command line versions with hmail unless you want problems. The reasons have been discussed many times in the forums.

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Posted: 2014-01-24 00:45
by gruenie
Hi Bill,
thanx for the explanations.
I wasn't successful in using the tool "doscan.exe" of Symantec Endpoint Protection 12.1. Maybe I did not do it in the right way but I always got an return code of "0".
Furthermore it calls the "ccSvcHst.exe" which deletes the completely infected email and not just the infected attachment. That was what I mean.

But if someone can advice me a better and useable way to use the SEP I will be very thankful.

At the moment I'm trying the clamWin-virus-scanner called from the AntiVirus-Feature of hMailServer.
Don't you think that it is agood idea or did I misunderstand you?

At the moment I'm usiing it together with SEP on the same machine (I know its not a good idea to use 2 virus-scanners on the same machine.
I tols SEP not to scan the hMailServer-directory and the database and let do it clamWin. Clamwin I told not to delete any infected files. The completely file-system (w/o hMS) is so covered by SEP and clamwin does not delete any files but works together with hMS for the email-system.

What do you think about that?

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Posted: 2014-01-24 00:57
by Bill48105
Not sure any AV scanner can delete just attachments. hmail can if you set the option to delete attachment vs email in AV section.

I would NOT use clamwin. You are asking for problems. You want ClamD (note the D vs Win) then you set it up on ClamAV tab NOT ClamWIN tab and not the External AV tab.

it is good you excluded hmailserver folder/tree but av running can still cause problems. YOu've been warned. :)
Bill

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Posted: 2014-01-24 02:25
by gruenie
Ok, ok, ok! :-)

So whats the best HowTo and the easiest way downloading and setting up clamD for an Windows Server 2008 R2 (x64) according to your opinion. I found endless ideas instructions and opinions and have no idea which is the best.
I'm thankful for an advice!

Gruenie

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Posted: 2014-01-24 04:45
by Bill48105
gruenie wrote:Ok, ok, ok! :-)

So whats the best HowTo and the easiest way downloading and setting up clamD for an Windows Server 2008 R2 (x64) according to your opinion. I found endless ideas instructions and opinions and have no idea which is the best.
I'm thankful for an advice!

Gruenie
Personally I think the best option is to setup nix (like centos or whatever flavor you are comfortable with) even in a virtual machine mostly because windows clam has been hit or miss at times but there are some how-to's on here just a matter of finding the recent ones as some windows ports are dead or not updated anymore. It's been forever since I've tried any of them but here are a few to look at & compare:
http://www.hmailserver.com/forum/viewto ... 12&t=21500
http://www.hmailserver.com/forum/viewto ... 81#p154081
http://www.othworld.info/2013/03/howtow ... erver.html

Or if you are comfortable going the nix route let me know & I'll post my steps or find how-to.
Bill

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Posted: 2014-01-24 10:39
by gruenie
Personally I think the best option is to setup nix (like centos or whatever flavor you are comfortable with) even in a virtual machine mostly because windows clam has been hit or miss at times but there are some how-to's on here just a matter of finding the recent ones as some windows ports are dead or not updated anymore. It's been forever since I've tried any of them but here are a few to look at & compare:
viewtopic.php?f=12&t=21500
viewtopic.php?p=154081#p154081
http://www.othworld.info/2013/03/howtow ... erver.html

Or if you are comfortable going the nix route let me know & I'll post my steps or find how-to.
Bill
Hi Bill,

again many thanx for your time to bring me on the right way! ;-)
I heard about the NIX-project (if you are speaking about that antispam-system), but I'm not very familar with it; neither with Linux at all. I'm sure that could be the best way but it would probably overcharge me at the moment. 8-)
Thanx also for the links in relation to clamD/AV. When I asked you about the best HowTo etc. I haven't been too lazy to search for solutions (just want to mention it! ;-) ) because I already was reading the 3 links provided by you (and others).
But there have been so many different ways and opinions so that I have been confused which I should follow.

So from that 3 possibilities it seems that the link:
http://www.hmailserver.com/forum/viewto ... 81#p154081
is the most easy way and I will try it.
I already have installed clamWIN (as mentioned) and on this way the clamD would be concerned for the real-time-scanning of mails included in hMailServer and not clamWIN.

So do you think I should completely remoce Symantec Antivirus Endpointprotection from that machine?
At the moment I tried to divide the tasks for SEP and ClamWIN. I excluded the complete hMS-Installation and mySQL from SEP and let that do clamWIN. Now I would add clamD to do the part of realtime scanning the emails as described in the post.

What do you think - even if that might not be the very best way?

Gruenie

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Posted: 2014-01-24 14:36
by mattg
Bill48105 wrote:I would NOT use clamwin. You are asking for problems. You want ClamD (note the D vs Win) then you set it up on ClamAV tab NOT ClamWIN tab and not the External AV tab.
+1

Don't use ClamWIN

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Posted: 2014-01-24 16:02
by gruenie
Hi Mattg,

:shock: :shock: :shock: :shock: :shock:

;-)

Yes I saw that sentence of Bill before.
On the other hand he suggested me the link:
http://www.hmailserver.com/forum/viewto ... 81#p154081.

... and there is described, how to use clamWIN for taking/downloading the virus-definitions and doing some other jobs etc.
I did not have in mind to use it together with hmailserver. There I wanted to use the hMS-inside client of clamAV together with the daemon clamC.

I will wait for the answer of Bill before I start to change the things.

Gruenie

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Posted: 2014-01-24 16:41
by mattg
Try this thread

http://www.hmailserver.com/forum/viewto ... AV#p156316

I think I last set up clamD from the detail provided there

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Posted: 2014-01-24 17:20
by Bill48105
Yeah sorry Gruenie I didn't see they used clamwin on that one post, I saw the clamd stuff in the post if you closely. They used clamd from clamwin. :) Key is you don't really want background scanning and you don't want to call a scanner than needs to spawn & load defs over & over & that's why you don't want clamwin. otherwise using clamwin WITHOUT those things should be fine. Or look at matt's link. There are like 100 posts about using clam key is do not use background scanning (or at least exclude hmail & hmail tree) and use clamD (clamav tab in hmail) NOT clamwin tab.

We really do need to fix that GUI so it's obvious which to use & not so confusing. I'd love to rename ClamAV tab to ClamC or ClamD Client and on the external & ClamWin tabs explain why not to use them.. Or remove clamwin tab entirely. :D

Re: hMailServer 5.4 + Symantec Endpoint Protection 12.1

Posted: 2014-01-25 02:39
by gruenie
Well now I uninstalled ClamWIN again, installed clamAV and clamd.exe and clamfresh.exe as windows-service and aktivated it in the clamAV-Tab. As far as I can see it works now.
I still have Symantec Endpoint Protection on the machine but excluded the entire hMailServer-installation (of course mySQL too).
Well, lets see what will happen.

Later I will installl ASSP.

If you have any additional suggestions, please let me know!

Gruenie