Malware scanner
This action comprises three different engines, each of which can be used individually or in combination with each other. Details on the individual engines can be found below.
- On the Engines tab, select the engine.
- On the Behaviour tab, determine how emails are processed if one or more engines detect an infection.
The Integrated Malware Scanner checks the attachments of incoming emails.
NOTE: To ensure parallel operation with other locally installed virus scanners on the gateway role, also observe the notes at Configuring installed on-access virus scanners.
See
This action is valid for the following senders: External and Local.
The file-based virus scanner stores attachments of incoming emails in a specific directory. If you have any on-access virus scanner installed, this scanner will deny read access to any infected attachments. NoSpamProxy Protection checks whether access is possible or not immediately after the attachments are placed in the directory. Attachments that can be accessed are considered free of viruses. NoSpamProxy Protection can work together with any virus scanner that monitors file accesses in real time. This scan method is already installed on many file servers, high-performing and reliable.
Attachments contained in emails in RTF format can also be processed by virus scanners. The attachments - which are named winmail.dat by default - are checked and blocked individually if necessary. Please note that this type of processing represents a change to the respective email.
The directory for the temporary storage of files in current installations is C:\ProgramData\Net at Work Mail Gateway\Temporary Files\Netatwork.NoSpamProxy.Addins.Core.Actions.MalwareScan.FilebasedMalwareScanner.
To solve (recurring) problems with the interaction of installed on-access virus scanners, configure your virus scanner so that the directories are
-
C:\ProgramData\Net at Work Mail Gateway\Core Antispam Engine
- C:\ProgramData\Net at Work Mail Gateway\Temporary Files\MailQueues
- C:\ProgramData\Net at Work Mail Gateway\Temporary Files\MailsOnHold
-
C:\Program Files\NoSpamProxy\Core Antispam Engine
NOTE: If you have updated from version 13, the path is C:\Program Files\Net at Work Mail Gateway\Core Antispam Engine.
be excluded from the scan on all systems with the Gateway Role or Web Portal installed.
NOTE: Note that the path is a hidden directory.
For servers with Web Portal installed, the following folder (default path for storing files for the Web Portal) must be excluded:
- C:\Program Files\NoSpamProxy\Web Portal
NOTE: If you have updated from version 13, the path is C:\Program Files\Net at Work Mail Gateway\enQsig Webportal.
Otherwise, with some virus scanners, access to the Web Portal may be severely delayed and communication problems may occur.
In addition, an exception for the processes
- amserver.exe and
- NoSpamProxy.CoreAntispamEngine.exe
should be set if the on-access virus scanner allows this.
NOTE: Make sure that your locally deployed virus scanner does not use behaviour-based analyses to draw conclusions from the fact that malware is actively stored by processes in the path C:\ProgramData\Net at Work Mail Gateway\Temporary Files\Netatwork.NoSpamProxy.Addins.Core.Actions.MalwareScan.FilebasedMalwareScanner. The files themselves should or must be checked, but the placement of malware in the folder in question must not lead to the classification of the corresponding process that performs this.
If you do not find the path described above, it is most likely an older NoSpamProxy installation that has already been updated several times. In this case, please first check the file C:\ProgramData\Net at Work Mail Gateway\Configuration\Gateway Role.config and look for the entry <storageLocation path=.
This path is currently used by the Gateway Role.
If you have enabled file-based virus scanning in the rules, also ensure that your scanner is configured to completely delete or quarantine infected files and archives. If the scanner is configured to Clean up, NoSpamProxy often cannot detect that these have been modified by the installed scanner. Thus, the "file-based virus scan" then fails despite successful detection by NoSpamProxy. This occurs particularly with archives.
You can determine whether contaminated attachments are deleted or whether the corresponding email is blocked automatically.
NOTE: In case emails are rejected, the sender is informed of this by the delivering server. Neither the sender nor the recipient is informed of a deleted attachment.
NOTE: As with all virus scanners, password-protected ZIP files are not checked and are passed on without further examination.
The Internet Content Adaptation Protocol (ICAP) is a protocol for forwarding content for HTTP-, HTTPS- and FTP-based services. An ICAP server receives data, which is then processed by a server-based virus scanner, for example.
If you select the ICAP Antivirus Server action, NoSpamProxy acts as an ICAP client. The data is then sent by NoSpamProxy to your ICAP server and scanned. When the scanning process is complete, the ICAP server sends the results to NoSpamProxy. Depending on this result, the configured action is executed.
NOTE: For the ICAP Antivirus Server action, you need access to an ICAP server.