Kaseya Community

KES Exchange Not Detecting Attachments?

  • Hi Everyone,

    We had a customer inform us they had received an email with a virus attachment. I was wondering if anybody has had a similar problem where the exchange email scanning component of KES is not picking up viruses?

    The attachment was a .zip file and strangley had the format of details_john.doe.zip (John doe replacing the actual users name) We have installed the exchange mailbox feature of KES and turned on exchange within the profile settings. Virus definitions up to date. Anything else needed?

    We purposely did not enable the email scanning for outlook as we have noticed a performance issue when its enabled but also for the fact that with exchange filtering we shouldnt need it. Are others using this feature?

    Thanks

    Legacy Forum Name: KES Exchange Not Detecting Attachments?,
    Legacy Posted By Username: JTomkinson@ans-uk.com
  • Hmmm...

    There are settings here to look for viruses inside of .ZIP files or not. Make sure you get the right settings for the Oulook plug-in (personal email scanner)

    I'm a little unclear if you also had the Exchange plug-in installed where this threat moved through as well.

    And finally, I'm curious about how they discovered it as a threat in the first place. Did Resident Shield pick it up?

    Jeff

    Legacy Forum Name: KES,
    Legacy Posted By Username: Jeff.Keyes
  • Hi Jeff,

    The outlook plugin is not enabled for this particular client. Reason being with the exchange scanning turned on, we didnt think we needed it.

    The virus was picked up via a manual scan of an attachment that came via email. It looked suspicious so the user saved it to his desktop and ran the scan.

    I did not notice that the resident shield setting on the KES profile was set to 'scan infectable files and selected document types' which does not include .zip files. This may explain why resident shield did not pick it up. Would this apply to the exchange feature? Does the email scanner setting on the profile applied to exchange server need turning on or does this just apply to outlook scanning?

    Thanks
    Justin.

    Legacy Forum Name: KES,
    Legacy Posted By Username: JTomkinson@ans-uk.com
  • The profile setting for email scanner serves dual purposes

    For the clients, it represents the settings used for the personal email scanner

    For the Exchange Server, it represents the settings used for the Exchange email scanning.

    In both cases, you need to ensure it is enabled.

    As I understand it, all files are scanned as part of email scanning with Exchange. I had thought that scanning inside of archives was also part of the settings...

    Legacy Forum Name: KES,
    Legacy Posted By Username: Jeff.Keyes
  • Jeff,

    Can you shed some light on this. We reloaded KES on SBS 2008. Then reloaded Exchange AVG plugin. The profile we used for this box has the 'email scanner' and 'exchange' functions enabled. Our kaseya VSA has all latest hotfixes.

    However we did a test today and the same infected .zip attachment (I-Worm/Netsky) got through and went undetected? Its causing us some real concern as to its effectiveness. Are any others experiencing this? The KES client detects it fine and moves to virus vault.

    Justin.

    Legacy Forum Name: KES,
    Legacy Posted By Username: JTomkinson@ans-uk.com
  • We still have an ongoing problem where the KES exchange plugin is not detecting attachments. We even tested the eicar_com.zip test virus attachment from www.eicar.org and this still got through. How bad is this.

    When we used a third party SMTP relay server, the email does not come through as the email and attachment is being blocked/deleted.

    I am interested to hear if this problem is happening with anybody else? Are people actually testing its effectiveness or assuming it is doing the job.

    We are at a loss with this now and support dont seem to be able to address the issue.

    Justin.

    Legacy Forum Name: KES,
    Legacy Posted By Username: JTomkinson@ans-uk.com
  • I've gotten to the bottom of this - it appears we have incorrect API calls going to the email scanner on the Exchange server. The temporary workaround is to go to the AVG UI on the Exchange server and configure the reporting options for Exchange.

    Legacy Forum Name: KES,
    Legacy Posted By Username: Jeff.Keyes
  • Hi jeff,

    I have gone into the AVG UI on the server and gone to Tools, Advanced Options, Email Scanner and the email attachments reporting settings are already checked, is this the right one? I did notice the Mail Filtering, Attachment Filter settings are not switched on. These are not configured through KES.

    Justin.

    Legacy Forum Name: KES,
    Legacy Posted By Username: JTomkinson@ans-uk.com
  • I am curious as to what files are scanned in Resident Shield on your clients workstation. Is the ZIP extension entered under Tools>Advanced Settings>Resident Shield? If not then there is that issue on the endpoint.

    Legacy Forum Name: KES,
    Legacy Posted By Username: ellis_ac