hMailServer on Windows 2019 and Microsoft Enpoint Protenction (Windows Defender)

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
cshawky
New user
New user
Posts: 2
Joined: 2020-04-11 09:50

hMailServer on Windows 2019 and Microsoft Enpoint Protenction (Windows Defender)

Post by cshawky » 2020-04-12 11:59

Hi
Thanks for a great product. I have been using hMailServer for years, initially on Windows 2003 then Windows 2012R2 and now have just upgraded my VM to Windows 2016.
I have ClamWin installed alongside MS Endpoint.
I have run some initial tests using www.eicar.com antimalware testfile. A hard test to conduct as all virus scanners pick up the test file immediately.
So my questions are:
1. Does hMailServer behave as expected on Windows with Microsoft Endpoint protection or Windows Defender fully active?
2. Is it necessary to configure a manual scan of each incoming email, if endpoint protect is enabled?
3. When hMailServer received an email, does it place it first in the temp directory to allow an external scanner to be run before placing the email into the recipients mailbox folder? If not where might I find more detail on the mechanics?

Thanks
Chris
kind regards
Shawky

User avatar
RvdH
Senior user
Senior user
Posts: 1136
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailServer on Windows 2019 and Microsoft Enpoint Protenction (Windows Defender)

Post by RvdH » 2020-04-12 12:14

Fully active? Elaborate on that please, you mean real time scanning or did you exclude the hMailServer Data en Temp folder?
Using standard Defender in Windows Server 2016, i guess? You keep mix up names, the is no Endpoint Protection for Windows Server 2016 which makes it hard to follow what you are doing

Interesting readup on MSE/MEP and Defender :twisted:
https://www.hmailserver.com/forum/viewt ... =8&t=34845
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

cshawky
New user
New user
Posts: 2
Joined: 2020-04-11 09:50

Re: hMailServer on Windows 2019 and Microsoft Enpoint Protenction (Windows Defender)

Post by cshawky » 2020-04-13 03:25

Thanks, I read the link provided.

Fully active: Real time protection and cloud-delivered protection are both on. No file or folder exclusions have been applied, so all hMailServer files and folders are scanned in real time.

I am using standard windows defender on this particular server, but the question IMO would apply equally to Microsoft endpoint protection (provided via Microsoft System Center), hence the inclusion in the title for improved search hits. Sim sim for Microsoft Security Essentials as per your referenced link. Possibly any real time scanner.

What I have done so far is simple to setup, hence question 1. I have also setup SpamAssassin as that was a no brainer also. I use a scheduled task - command file to do the database updates. (Script available on request)

If this setup works reliably, there is no need to go to further effort to implement folder exclusions and setup a manual scan from hMailServer, and limitations associated with that.

If the answer to question 1 indicates that hMailServer doesn't handle the case where an external real time scanner deletes the email files, then one needs to progress to file/folder exclusions and allowing hMailServer to manage the scan and quarantine of the email. Hence questions 2 and 3.

The initial tests I conducted using the test signature file appeared to be successful. The troublesome area was Microsoft Outlook and Avast on the test client, and Immunet on the server (Yes, I also ran some tests with ClamWin and Immunet). ClamWin scanning is far too slow and resource heavy and I was hoping to avoid setting up ClamAV to try the same.

I've not used C:\Program Files\Windows Defender\MpCmdRun.exe, only Start-MpScan through Powershell which has no return code.

With reference to MpCmdRun.exe /? the return codes are: 0 for success, i.e clean or quarantined/deleted, 2 for bugger me you need to do something. As per your referenced thread, not an ideal response.

The behaviour of a real time scanner (delete or quarantine an email) on the fly is fine by me, provided that hMailServer continues to operate reliably, taking the email deletion in its stride. Hence Question 3.

Thanks
kind regards
Shawky

User avatar
RvdH
Senior user
Senior user
Posts: 1136
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailServer on Windows 2019 and Microsoft Enpoint Protenction (Windows Defender)

Post by RvdH » 2020-04-13 09:38

Never, ever use realtime scanning on hMailServer's \Data en \Temp directories, exclude them :!:
With each mail coming in the message & independent attachments are temporarily places in \Temp to be processed by whatever AV you have configured
ClamWin is bad, you could try ClamAV instead (i am not a big fan of this one either, you need quite some free RAM to make it run smoothly)
MSE (Defender) will give you much false positives which makes it completely unreliable, proper attachments/mails could be deleted due to the lack of proper return codes
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Post Reply