Malware scanner

This action comprises three different engines, each of which can be used individually or in combination with each other. Details on the individual engines can be found below.

  • On the Engines tab, select the engine.
    Selecting the engine
  • On the Behaviour tab, determine how emails are processed if one or more engines detect an infection.
    Determining the behaviour

The Integrated Malware Scanner checks the attachments of incoming emails.

NOTE: To ensure parallel operation with other locally installed virus scanners on the gateway role, also observe the notes at Configuring installed on-access virus scanners.

See

Reporting false negatives and false positives

This action is valid for the following senders: External and Local.

The file-based virus scanner stores attachments of incoming emails in a specific directory. If you have any on-access virus scanner installed, this scanner will deny read access to any infected attachments. NoSpamProxy Protection checks whether access is possible or not immediately after the attachments are placed in the directory. Attachments that can be accessed are considered free of viruses. NoSpamProxy Protection can work together with any virus scanner that monitors file accesses in real time. This scan method is already installed on many file servers, high-performing and reliable.

Attachments contained in emails in RTF format can also be processed by virus scanners. The attachments - which are named winmail.dat by default - are checked and blocked individually if necessary. Please note that this type of processing represents a change to the respective email.

The directory for temporary file storage is %ProgramData%\"Net at Work Mail Gateway\Temporary Files \Netatwork.NospamProxy.Addins.Core.Actions.FileVirusScanAction. In older installations the files may be found in the NoSpamProxy installation directory \AntiSpam Role\Temporary Files \Netatwork.NospamProxy.Addins.Core.Actions.FileVirusScanAction located</mtlingo> .

To solve (recurring) problems with the interaction of installed on-access virus scanners, configure your virus scanner so that the directories are

  • C:\ProgramData\Net at Work Mail Gateway\Core Antispam Engine

  • C:\ProgramData\Net at Work Mail Gateway\Temporary Files\MailQueues
  • C:\ProgramData\Net at Work Mail Gateway\Temporary Files\MailsOnHold

  • C:\Program Files\NoSpamProxy\Core Antispam Engine

be excluded from the scan on all systems with the Gateway Role or Web Portal installed.

NOTE: Note that the path is a hidden directory.

For servers with Web Portal installed, the following folder (default path for storing files for the Web Portal) must be excluded:

  • C:\Program Files\NoSpamProxy\Web Portal

Otherwise, with some virus scanners, access to the Web Portal may be severely delayed and communication problems may occur.

In addition, an exception for the processes

  • amserver.exe and
  • NoSpamProxy.CoreAntispamEngine.exe

should be set if the on-access virus scanner allows this.

TIP:

If you do not find the path described above, it is most likely an older NoSpamProxy installation that has already been updated several times. In this case, please first check the file C:\ProgramData\Net at Work Mail Gateway\Configuration\Gateway Role.config and look for the entry <storageLocation path=.

This path is currently used by the Gateway Role.

If you have enabled file-based virus scanning in the rules, also ensure that your scanner is configured to completely delete or quarantine infected files and archives. If the scanner is configured to Clean up, NoSpamProxy often cannot detect that these have been modified by the installed scanner. Thus, the "file-based virus scan" then fails despite successful detection by NoSpamProxy. This occurs particularly with archives.

You can determine whether contaminated attachments are deleted or whether the corresponding email is blocked automatically.

NOTE: In case emails are rejected, the sender is informed of this by the delivering server. Neither the sender nor the recipient is informed of a deleted attachment.

NOTE: As with all virus scanners, password-protected ZIP files are not checked and are passed on without further examination.

The Internet Content Adaptation Protocol (ICAP) is a protocol for forwarding content for HTTP-, HTTPS- and FTP-based services. An ICAP server receives data, which is then processed by a server-based virus scanner, for example.

If you select the ICAP Antivirus Server action, NoSpamProxy acts as an ICAP client. The data is then sent by NoSpamProxy to your ICAP server and scanned. When the scanning process is complete, the ICAP server sends the results to NoSpamProxy. Depending on this result, the configured action is executed.

NOTE: For the ICAP Antivirus Server action, you need access to an ICAP server.