Toxic Email Attachments Getting Through

Forum for support for the Kaspersky AntiVirus for WinGate plugin

Moderator: Qbik Staff

Toxic Email Attachments Getting Through

Postby alyork » Dec 14 08 8:00 pm

Kaspersky doesn't seem to be doing a very good job of catching toxic email attachments. Several of our clients have opened them on their workstations with disasterous results. I really don't want to have to install malware scanners on every desk top when Wingate is supposed to be doing the job.
alyork
 
Posts: 95
Joined: Jun 13 08 3:57 pm
Location: Vancouver, Canada

Re: Toxic Email Attachments Getting Through

Postby adrien » Dec 23 08 12:16 am

Hi

Did you check the state of the license etc in Kaspersky in WinGate?

Is this problem ongoing, or does it happen in bursts? There is always the possibility with 0-hour attacks that the attack will beat the AV providers signatures.

How often do you have Kaspersky AV for WinGate updating?

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5201
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Toxic Email Attachments Getting Through

Postby alyork » Dec 23 08 6:39 pm

The licence says its valid.

It appears that all email attachements are getting through all the time. Even ones we know are bad.

However, its very hard to tell what, if anything, Kaspersky is doing, as there are no stats that we can find.

Updates are done daily according to the log, and we can't see an option to change the frequency.

The quarantine folder is empty.
alyork
 
Posts: 95
Joined: Jun 13 08 3:57 pm
Location: Vancouver, Canada

Re: Toxic Email Attachments Getting Through

Postby adrien » Dec 27 08 2:00 pm

Hi

Check also:

a) the Plugins pane in the SMTP server, make sure that Kaspersky AV is enabled in there.
b) the Kaspersky AntiVirus for WinGate log files. These should indicate if email is being scanned

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5201
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: Toxic Email Attachments Getting Through

Postby alyork » Dec 28 08 11:04 pm

Plugin for Kaspersky is enabled in both SMTP and POP3.

Kaspersky is set to log:

Request Blocked
Configuration changes
Antivirus database updates


This is what the last 3 weeks log files in I:\Program Files\WinGate\Logs\Kaspersky AV for WinGate show:

12/27/08 11:01:00 0.0.0.0 <system> 0000000804 Debug: Obtaining lock in Refresh
12/27/08 11:01:29 0.0.0.0 <system> 0000001880 InitialiseQbik
12/27/08 11:01:29 0.0.0.0 <system> 0000001880 HasCapability
12/27/08 11:01:29 0.0.0.0 <system> 0000001880 Debug: Obtaining lock in Refresh
12/27/08 11:01:29 0.0.0.0 <system> 0000001880 Debug: Releasing lock in Refresh
12/27/08 11:01:29 0.0.0.0 <system> 0000000804 Debug: Releasing lock in Refresh
12/27/08 11:02:14 0.0.0.0 <system> 0000001880 InitialiseQbik
12/27/08 11:02:14 0.0.0.0 <system> 0000001880 HasCapability
12/27/08 11:02:14 0.0.0.0 <system> 0000001880 Debug: Obtaining lock in Refresh
12/27/08 11:02:14 0.0.0.0 <system> 0000001880 Debug: Releasing lock in Refresh

----------------------
Turned on logging for "Request Allowed" and forced a manual update as a test:

12/28/08 01:23:22 0.0.0.0 <system> 0000000180 Configuration has changed
12/28/08 01:24:15 10.0.0.152 guest 0000000664 Kaspersky AntiVirus 2.0 for WinGate has allowed http://images.geqnamok.cn/snow.gif for guest because it is clean
12/28/08 01:24:17 10.0.0.152 guest 0000001820 Kaspersky AntiVirus 2.0 for WinGate has allowed http://images.geqnamok.cn/new.jpg for guest because it is clean
12/28/08 01:24:42 10.0.0.152 guest 0000000664 Kaspersky AntiVirus 2.0 for WinGate has allowed for guest because it is clean
12/28/08 01:25:00 10.0.0.154 guest 0000002216 Kaspersky AntiVirus 2.0 for WinGate has allowed for guest because it is clean
12/28/08 01:25:02 10.0.0.154 guest 0000002216 Kaspersky AntiVirus 2.0 for WinGate has allowed for guest because it is clean
12/28/08 01:28:17 0.0.0.0 <system> 0000000820 Configuration has changed
12/28/08 01:28:20 0.0.0.0 <system> 0000002276 Starting update
12/28/08 01:28:20 0.0.0.0 <system> 0000002216 Starting update : ftp://downloads-us1.kaspersky-labs.com/updates_ext
12/28/08 01:28:20 0.0.0.0 <system> 0000002216 Connecting to server : downloads-us1.kaspersky-labs.com [Busy]
12/28/08 01:28:21 0.0.0.0 <system> 0000002216 Connecting to server : downloads-us1.kaspersky-labs.com [Done]
12/28/08 01:28:21 0.0.0.0 <system> 0000002216 Selecting files : /updates_ext/ [Busy]
12/28/08 01:28:34 0.0.0.0 <system> 0000002216 Selecting files : /updates_ext/ [Done]
12/28/08 01:28:34 0.0.0.0 <system> 0000002216 Downloading file [Busy]
12/28/08 01:28:36 0.0.0.0 <system> 0000002216 Downloading file : fa001.avc [Done]
12/28/08 01:28:38 0.0.0.0 <system> 0000002216 Downloading file : base504c.avc [Done]
12/28/08 01:28:39 0.0.0.0 <system> 0000002216 Downloading file : base505c.avc [Done]
12/28/08 01:28:40 0.0.0.0 <system> 0000002216 Downloading file : dailyc.avc [Done]
12/28/08 01:28:41 0.0.0.0 <system> 0000002216 Downloading file : ext071c.avc [Done]
12/28/08 01:28:42 0.0.0.0 <system> 0000002216 Downloading file : daily-ec.avc [Done]
12/28/08 01:28:43 0.0.0.0 <system> 0000002216 Downloading file : avp.set [Done]
12/28/08 01:28:45 0.0.0.0 <system> 0000002216 Downloading file : avp.klb [Done]
12/28/08 01:28:45 0.0.0.0 <system> 0000002216 Downloading file [Done]
12/28/08 01:28:45 0.0.0.0 <system> 0000002216 Installing file [Busy]
12/28/08 01:28:45 0.0.0.0 <system> 0000002216 Installing file : I:\Program Files\WinGate\Plugins\Kaspersky AntiVirus\Downloads\fa001.avc [Busy]
12/28/08 01:28:45 0.0.0.0 <system> 0000002216 Installing file : I:\Program Files\WinGate\Plugins\Kaspersky AntiVirus\Downloads\base504c.avc [Busy]
12/28/08 01:28:45 0.0.0.0 <system> 0000002216 Installing file : I:\Program Files\WinGate\Plugins\Kaspersky AntiVirus\Downloads\base505c.avc [Busy]
12/28/08 01:28:45 0.0.0.0 <system> 0000002216 Installing file : I:\Program Files\WinGate\Plugins\Kaspersky AntiVirus\Downloads\dailyc.avc [Busy]
12/28/08 01:28:45 0.0.0.0 <system> 0000002216 Installing file : I:\Program Files\WinGate\Plugins\Kaspersky AntiVirus\Downloads\ext071c.avc [Busy]
12/28/08 01:28:45 0.0.0.0 <system> 0000002216 Installing file : I:\Program Files\WinGate\Plugins\Kaspersky AntiVirus\Downloads\daily-ec.avc [Busy]
12/28/08 01:28:45 0.0.0.0 <system> 0000002216 Installing file : I:\Program Files\WinGate\Plugins\Kaspersky AntiVirus\Downloads\avp.set [Busy]
12/28/08 01:28:45 0.0.0.0 <system> 0000002216 Installing file : I:\Program Files\WinGate\Plugins\Kaspersky AntiVirus\Downloads\avp.klb [Busy]
12/28/08 01:28:45 0.0.0.0 <system> 0000002216 Installing file [Done]
12/28/08 01:28:45 0.0.0.0 <system> 0000002216 Disconnecting from server : downloads-us1.kaspersky-labs.com [Busy]
12/28/08 01:28:45 0.0.0.0 <system> 0000002216 Disconnecting from server : downloads-us1.kaspersky-labs.com [Done]
12/28/08 01:28:45 0.0.0.0 <system> 0000002276 Starting update
12/28/08 01:28:45 0.0.0.0 <system> 0000001708 Starting update : I:\Program Files\WinGate\Plugins\Kaspersky AntiVirus\Downloads\
12/28/08 01:28:45 0.0.0.0 <system> 0000001708 Selecting files : I:\Program Files\WinGate\Plugins\Kaspersky AntiVirus\Downloads\ [Busy]
12/28/08 01:29:00 0.0.0.0 <system> 0000001708 Selecting files : I:\Program Files\WinGate\Plugins\Kaspersky AntiVirus\Downloads\ [Done]
12/28/08 01:29:00 0.0.0.0 <system> 0000001708 Downloading file [Busy]
12/28/08 01:29:00 0.0.0.0 <system> 0000001708 Downloading file : fa001.avc [Done]
12/28/08 01:29:00 0.0.0.0 <system> 0000001708 Downloading file : base318c.avc [Done]
12/28/08 01:29:00 0.0.0.0 <system> 0000001708 Downloading file : base320c.avc [Done]
12/28/08 01:29:00 0.0.0.0 <system> 0000001708 Downloading file : base364c.avc [Done]
12/28/08 01:29:00 0.0.0.0 <system> 0000001708 Downloading file : base365c.avc [Done]
12/28/08 01:29:00 0.0.0.0 <system> 0000001708 Downloading file : base366c.avc [Done]
12/28/08 01:29:00 0.0.0.0 <system> 0000001708 Downloading file : base504c.avc [Done]
12/28/08 01:29:00 0.0.0.0 <system> 0000001708 Downloading file : base505c.avc [Done]
12/28/08 01:29:00 0.0.0.0 <system> 0000001708 Downloading file : dailyc.avc [Done]
12/28/08 01:29:00 0.0.0.0 <system> 0000001708 Downloading file : ext004c.avc [Done]
12/28/08 01:29:00 0.0.0.0 <system> 0000001708 Downloading file : ext071c.avc [Done]
12/28/08 01:29:01 0.0.0.0 <system> 0000001708 Downloading file : daily-ec.avc [Done]
12/28/08 01:29:01 0.0.0.0 <system> 0000001708 Downloading file : avp.set [Done]
12/28/08 01:29:01 0.0.0.0 <system> 0000001708 Downloading file : avp.klb [Done]
12/28/08 01:29:01 0.0.0.0 <system> 0000001708 Downloading file [Done]
12/28/08 01:29:01 0.0.0.0 <system> 0000001708 Installing file [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file : Plugins\Kaspersky AntiVirus\Bases\fa001.avc [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file : Plugins\Kaspersky AntiVirus\Bases\base318c.avc [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file : Plugins\Kaspersky AntiVirus\Bases\base320c.avc [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file : Plugins\Kaspersky AntiVirus\Bases\base364c.avc [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file : Plugins\Kaspersky AntiVirus\Bases\base365c.avc [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file : Plugins\Kaspersky AntiVirus\Bases\base366c.avc [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file : Plugins\Kaspersky AntiVirus\Bases\base504c.avc [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file : Plugins\Kaspersky AntiVirus\Bases\base505c.avc [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file : Plugins\Kaspersky AntiVirus\Bases\dailyc.avc [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file : Plugins\Kaspersky AntiVirus\Bases\ext004c.avc [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file : Plugins\Kaspersky AntiVirus\Bases\ext071c.avc [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file : Plugins\Kaspersky AntiVirus\Bases\daily-ec.avc [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file : Plugins\Kaspersky AntiVirus\Bases\avp.set [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file : Plugins\Kaspersky AntiVirus\Bases\avp.klb [Busy]
12/28/08 01:29:07 0.0.0.0 <system> 0000001708 Installing file [Done]
12/28/08 01:29:07 0.0.0.0 <system> 0000002276 Debug: Obtaining lock in Refresh
12/28/08 01:29:36 0.0.0.0 <system> 0000001880 InitialiseQbik
12/28/08 01:29:36 0.0.0.0 <system> 0000001880 HasCapability
12/28/08 01:29:36 0.0.0.0 <system> 0000001880 Debug: Obtaining lock in Refresh
12/28/08 01:29:36 0.0.0.0 <system> 0000001880 Debug: Releasing lock in Refresh
12/28/08 01:29:36 0.0.0.0 <system> 0000002276 Debug: Releasing lock in Refresh
12/28/08 01:29:36 0.0.0.0 <system> 0000002276 Completing update
12/28/08 01:30:21 0.0.0.0 <system> 0000001880 InitialiseQbik
12/28/08 01:30:21 0.0.0.0 <system> 0000001880 HasCapability
12/28/08 01:30:21 0.0.0.0 <system> 0000001880 Debug: Obtaining lock in Refresh
12/28/08 01:30:21 0.0.0.0 <system> 0000001880 Debug: Releasing lock in Refresh
12/28/08 01:37:50 0.0.0.0 <system> 0000000820 Configuration has changed

---------------------
We did see this which indcates that some scanning is taking place for file downloads.

12/06/08 11:04:12 0.0.0.0 <system> 0000000116 Debug: Obtaining lock in Refresh
12/06/08 11:04:40 0.0.0.0 <system> 0000001692 InitialiseQbik
12/06/08 11:04:40 0.0.0.0 <system> 0000001692 HasCapability
12/06/08 11:04:40 0.0.0.0 <system> 0000001692 Debug: Obtaining lock in Refresh
12/06/08 11:04:40 0.0.0.0 <system> 0000001692 Debug: Releasing lock in Refresh
12/06/08 11:04:40 0.0.0.0 <system> 0000000116 Debug: Releasing lock in Refresh
12/06/08 11:05:23 0.0.0.0 <system> 0000001692 InitialiseQbik
12/06/08 11:05:23 0.0.0.0 <system> 0000001692 HasCapability
12/06/08 11:05:23 0.0.0.0 <system> 0000001692 Debug: Obtaining lock in Refresh
12/06/08 11:05:23 0.0.0.0 <system> 0000001692 Debug: Releasing lock in Refresh
12/06/08 13:48:32 10.0.0.155 guest 0000000888 Kaspersky AntiVirus 2.0 for WinGate has quarantined for guest because it could not be scanned
12/06/08 13:49:37 10.0.0.155 guest 0000000888 Kaspersky AntiVirus 2.0 for WinGate has quarantined for guest because it could not be scanned
12/06/08 13:51:34 0.0.0.0 <system> 0000001556 Configuration has changed
12/06/08 13:52:06 10.0.0.155 guest 0000000812 Kaspersky AntiVirus 2.0 for WinGate has quarantined for guest because it could not be scanned
12/06/08 13:55:17 0.0.0.0 <system> 0000001556 Configuration has changed
12/06/08 13:56:29 0.0.0.0 <system> 0000001556 Configuration has changed
12/06/08 14:09:58 0.0.0.0 <system> 0000001556 Configuration has changed

-------------------------------------------------

And this one too. Don't know what us being scanned here.

11/12/08 07:32:26 10.0.0.152 guest 0000001316 Kaspersky AntiVirus 2.0 for WinGate has quarantined for guest because it is infected with Worm.Win32.AutoRun.scj
11/12/08 11:00:50 0.0.0.0 <system> 0000002092 Debug: Obtaining lock in Refresh
11/12/08 11:01:17 0.0.0.0 <system> 0000001688 InitialiseQbik
11/12/08 11:01:17 0.0.0.0 <system> 0000001688 HasCapability
11/12/08 11:01:17 0.0.0.0 <system> 0000001688 Debug: Obtaining lock in Refresh
11/12/08 11:01:17 0.0.0.0 <system> 0000001688 Debug: Releasing lock in Refresh
11/12/08 11:01:17 0.0.0.0 <system> 0000002092 Debug: Releasing lock in Refresh
11/12/08 11:01:58 0.0.0.0 <system> 0000001688 InitialiseQbik
11/12/08 11:01:58 0.0.0.0 <system> 0000001688 HasCapability
11/12/08 11:01:58 0.0.0.0 <system> 0000001688 Debug: Obtaining lock in Refresh
11/12/08 11:01:58 0.0.0.0 <system> 0000001688 Debug: Releasing lock in Refresh
11/12/08 12:28:20 10.0.0.153 guest 0000001364 Kaspersky AntiVirus 2.0 for WinGate has quarantined for guest because it is infected with Worm.Win32.AutoRun.seh
alyork
 
Posts: 95
Joined: Jun 13 08 3:57 pm
Location: Vancouver, Canada

Re: Toxic Email Attachments Getting Through

Postby adrien » Dec 29 08 12:10 pm

Hi

1. update frequency. This is controlled by the scheduler, there should be an event called "Update Kaspersky Plugin". You can alter frequency by editing this scheduled event.

2. Not scanning. Those logs indicate it's wired into the chain so should be scanning. Have you checked the settings in the settings tab of KAV? E.g. if set to custom, check the advanced settings.

If none of this helps, I can take a look with remote desktop (or VNC or similar) if you'd like.

Adrien
adrien
Qbik Staff
 
Posts: 5201
Joined: Sep 03 03 2:54 pm
Location: Auckland


Return to Kaspersky AntiVirus for WinGate

Who is online

Users browsing this forum: No registered users and 1 guest