I've got Kaspersky in my virtual rack, and noticed an email that my desktop AVG quarantined. I checked Kaspersky's logs and it scanned that email and passed it as safe! Found the file in AVG's "quarantined vault" and used Kaspersky's free online scanner and sure enough, it found Trojan-Spy.Win32.Zbot.fsm in this file (this is the standard "UPS Invoice" trojan that's been out for over a month now).

Very disappointing! Any ideas on how/why this could happen?

On a perhaps related note; the Spam filter is at the top in my virtual rack while Kaspersky is at the bottom. Looking at the daily logs from yesterday, the Spam filter scanned a total of 807 SMTP and 54 POP emails which is the same as the Phish Blocker; yet Kaspersky shows only 132 emails scanned??

I believe that SPAM emails that are blocked by Blacklists are dropped and not scanned by other 'servers' in the stack.

Don't think the order in the rack makes a difference, but never tested that...

I checked Kaspersky's logs though, and that email passed through it as Clean - not good :(

Earlier today, similar issue. I was going through some emails on my ISP's site (webmail) and noticed a virus attachment; I was able to download the ZIP file to my computer without any Untangle service catching it; if I upload that same file to Kaspersky's online file scanner, it detects the trojan!!

Do you have your UT set up for ZIP scanning?

Do you have your UT set up for ZIP scanning?

Yes. I hadn't changed any of those default settings and just confirmed again; under Web settings, ZIP is checked to be scanned.

do you have any proxy or egress filtering that would prevent the signature updates?

an easy way to test is to put the file on a web server and download it again through http through your untangle.

What does your reports say the version of your antivirus' you're running o UT?

I did some further testing this morning, along the lines of Dmorris' suggestion. Bratsadtar, FWIW, UT Reports say that Kaspersky's Virus Definitions are dated 2008-10-31; Virus Blocker (ClamAV) is "8546 -- Thu Oct 30 21:39:08 2008".

I put the infected ZIP file (contains an EXE with the virus/trojan) on my external website. When I type in the direct URL to this ZIP file, I get the expected page that says this file has a virus and has been blocked. I looked at Kaspersky's logs, and it shows the (HTTP) event having been blocked - all good so far.

I then emailed that same file to myself (remotely connected to home computer and sent it from there) - both Kaspersky and Virus Blocker logs show the (SMTP) event of having PASSED this email as clean!!

Kaspersky's settings are to Scan SMTP e-mail and "Remove infection" if Virus found. It's definitely passing this email through as clean, as seen in the logs.

What's going on here? Very puzzling :(

I checked Kaspersky's logs though, and that email passed through it as Clean - not good

have you not considered it could be a false positive and that AVG is wrong? It often is, as its not the greatest scanner on earth.

have you not considered it could be a false positive and that AVG is wrong? It often is, as its not the greatest scanner on earth.

I uploaded the file(s) to Kaspersky's free online scanner - they were identified as trojans there. Also, when trying to download them via HTTP they were successfully blocked. Just passed through SMTP as clean.

What if you remove the antivirus' from the rack, reboot ut and add them back and reboot, and try the same test again?
See if that kicks starts any changes.

Success! As suggested, I removed *everything* from the rack, rebooted the Untangle server, then added them all back. Now, Kaspersky has blocked my test email as expected. Who knows what was causing the problem in the first place, but it appears fixed now :)

Thanks for all the suggestions!

Interestingly, when I added the products back to my rack, they went back to a specific order in the list as they were before (and not in the order I added them back in). Does Spam Blocker always have to be at the top of the rack, with Kaspersky and Virus Blocker at the bottom? Just curious ... don't think it really matters. Though, I wouldn't want a message to be marked as Spam and then not go through the virus scanning.

Success! As suggested, I removed *everything* from the rack, rebooted the Untangle server, then added them all back. Now, Kaspersky has blocked my test email as expected. Who knows what was causing the problem in the first place, but it appears fixed now :)

Thanks for all the suggestions!

Interestingly, when I added the products back to my rack, they went back to a specific order in the list as they were before (and not in the order I added them back in). Does Spam Blocker always have to be at the top of the rack, with Kaspersky and Virus Blocker at the bottom? Just curious ... don't think it really matters. Though, I wouldn't want a message to be marked as Spam and then not go through the virus scanning.

Glad it worked out. You and everybody else should get into a nice habit of rebooting the UT on a weekly basis, regardless.

I have found that UT, being built on top of an existing Linux base, and actually doesn't become active until some point after the initialization of the underlying OS, that updates, sometimes doesn't go as smooth as one would think. In your case, you could see the latest date of the virus update, but, it was stuck with using an actual out of date product version, that needed to be forced into the update. Thus when you removed it and added it back in, it added the full updated package to your list and is now running with that version.

This however, isn't really a fault of UT. Essentially it's like a desktop antivirus product that gets an upgrade to the engine, that requires your system be rebooted to take effect. Only UT doesn't have a way of informing you of this, so you have to sometimes do this, in order to make certain you are up and running the absolute latest in anti-virus.

This may be the same for the other packages as well. I have only been focused on the antivirus portion for quite some time. :)

And, yes, I believe the layout defaults to a set pattern no matter how you add the programs.

by reading and following this thread, should this be reported as a bug? maybe part of the kaspersky module bug?

Is there any way to make your box restart one a week automatically? If not I think that would be a great addition to the gui. I would love to have my box restart every sun night.

Is there any way to make your box restart one a week automatically? If not I think that would be a great addition to the gui. I would love to have my box restart every sun night.

I have heard it's possible using a cron job - I don't know how myself.

(Sorry that doesn't seem as helpful as I first thought...)

Hello,

I'm very new at untangle system but testing the applications in the default rack made me worry about the safety of the users behind the UT server.

Downloading a zipfile through Cabos P2P which contained a virus called 'kate perry.zip/Setup.exe (Infected with W32/Agent.GPEH)', and both the antivirus applications we're letting it through.
The virus was detected and cleaned with Norman Malware scanner def. dat 12-24-2008. The virus def's of Kaspersky and Antivirus we're from 12-31-2008.

I just followed the instructions to uninstall all items from the default rack, restarted UT server and installed them again into the default rack, but this didn't do the job.. The zipfiles containing different virusses we're not detected and cleaned by Kaspersky an Antivirus.

Can anyone help me out with this?

Best regards, Victor

Testing the antivirus portion of a firewall such as UT, using any P2P program is useless and pointless. P2P filesharing usually happens in somekind of closed "stream" and not in http.

I have not tested Cabos P2P, but I think that it's not far from any other P2P program out there. I know that the ones I use does the transfers in encrypted tunnels and that closes them out from any kind of tampering.