GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » Sophos AV - why am I paying for this?
Re: Sophos AV - why am I paying for this? [message #122225 is a reply to message #122104] Mon, 22 June 2015 17:52 Go to previous messageGo to next message
Maerad is currently offline  Maerad
Messages: 275
Registered: August 2013
Sophos works fine. The clients (especially ESET) find the virus, because they have something called heuristic. They also don't have the virus in their database, BUT they analyze the behavior/coding if its has virus like usage patterns and do a "best guess".

99% of my known antivirus systems for mailservers work with virus lists, not heuristics. On a client you SEE that the antivirus found something and can decide what to do. In a mail, you get - in best cases - just a warning and no attachment. And if THAT was some really important program someone was waiting for and it got deleted by a false positive .... wohoooo!

Also if it's a new virus, it's quite common that 95% of all scanners won't find a thing. Last time I had a virus I uploaded non virustotal and 2 other sites - not ONE scanner detected it as a virus. After 3 hours 2 scanners found the virus.

You can't relay on a scanner alone. You need mail protection and client protection. IF the clients can kill the virus the mailserver didn't find, everythings ok, because that's what its there for.

We never had any problems with viruses. First a bit more aggressive spam rules (most viruses are sent like spam mails), then the sophos protection, then the client protection and MOST important - A KNOWING USER! I school any new worker and 1x a year (or with mail in important cases), so THEY know what they are doing.

That with enabled extentions on windows files protected us more then any antivirus. And we had Panda, Avira, ESET, Micro...thing...., Kaspersky etc.

Nothing was 100% secure. But if the user knows what to open and what not or/and when to ask, it's fine.

You don't need one antivirus program, you need a security and antivirus strategy for your company
Re: Sophos AV - why am I paying for this? [message #122369 is a reply to message #122225] Thu, 25 June 2015 17:46 Go to previous messageGo to next message
MarkK is currently offline  MarkK
Messages: 342
Registered: April 2007
Maerad wrote on Mon, 22 June 2015 08:52
We never had any problems with viruses. First a bit more aggressive spam rules (most viruses are sent like spam mails), then the sophos protection, then the client protection and MOST important - A KNOWING USER!


Maerad,
I've said the same thing before about anti-malware strategy INCLUDES an anti-spam strategy; and been argued with about that statement. Yes there is a big difference in malware and spam, but if one of your strategies has stopped one (spam or malware), then it has most likely prevent the other as well (malware / spam).

But like Fort Knox, doesn't matter how much security you have in place, if a user opens a door for someone, a hole in the security has been opened up. Regardless of how much you hammer in to your users about what to look for, it is those targeted spear phishing emails that users are most likely to fall prey to. The crook knows his audience and how to possible get that door opened just enough to slip something in.

There was a time that you had your firewall on your network's edge and that was good enough. Those days are gone. Now you need a firewall and Intrusion Prevention system at the network edge (even more options is better); firewall, antivirus, and intrusion prevention on your mail server; and firewall, intrusion detection, antimalware/antivirus on your workstation. This is why we are paying for Sophos AV.
Re: Sophos AV - why am I paying for this? [message #122374 is a reply to message #122369] Thu, 25 June 2015 18:07 Go to previous messageGo to next message
Maerad is currently offline  Maerad
Messages: 275
Registered: August 2013
MarkK wrote on Thu, 25 June 2015 17:46

But like Fort Knox, doesn't matter how much security you have in place, if a user opens a door for someone, a hole in the security has been opened up. Regardless of how much you hammer in to your users about what to look for, it is those targeted spear phishing emails that users are most likely to fall prey to. The crook knows his audience and how to possible get that door opened just enough to slip something in.

There was a time that you had your firewall on your network's edge and that was good enough. Those days are gone. Now you need a firewall and Intrusion Prevention system at the network edge (even more options is better); firewall, antivirus, and intrusion prevention on your mail server; and firewall, intrusion detection, antimalware/antivirus on your workstation. This is why we are paying for Sophos AV.


I really agree with you. And I never said to go without any kind of antivirus.

I just say, it's a fatal flaw to trust the antivirus system. It doesn't matter who made the antivirus, there will never be a 100% security on a program side.

You need to combine everything and still, that might not be enough. That's where the users comes into play. With appropriate training, the users can identify 90% of spam, viruses or phishing attempts.

Today we had another case with a infected supplier of us. We talk about a company here with around 500 ppl in office, with gateway deep paket protection including intrusion detection, antivirus, data steam analyses etc.

Not to mention the anti virus clients, the server mail protection, special restrictions for the users in the company, a knowing IT department... and still, one pc got infected today. Was an attachment to a mail the user opened and got infected. The gateway protection is a hardware system and really expensive, same goes for the antivirus on the exchange and of course the clients.

They couldn't find the virus, it was just too new and the heuristic wasn't able to see it.

When we had exchange with eset protection, we also had some viruses coming tru. IMHO sophos on kerio detects more then enough and with the new "delete attachments if disallowed extention is in .zip" we didn't have a virus in weeks.
Re: Sophos AV - why am I paying for this? [message #128442 is a reply to message #122056] Thu, 10 March 2016 21:05 Go to previous messageGo to next message
j.a.duke is currently offline  j.a.duke
Messages: 239
Registered: October 2006
Radek Sip (Kerio) wrote on Tue, 16 June 2015 09:44
Antivirus SDK for Kerio Products

The SDK includes a public API that can be used to write plugins for third-party antivirus solutions, together with sample plugin source code, ClamAVĀ® plugin source code, and testing binaries. Linux is the supported platform, both for development and as the deployment target.

If you want to start using the plugin now and skip compilation, we have prepared the Linux plugin in binary form directly for download. Do not worry if you use Windows. Our community took care of it and created the necessary DLL file.


Radek,

I've tried to download the plugin to which Pavel had linked on SamePage, but the link generates a 404 error.

I had posted to the thread regarding the error in September, but the link is still dead.

Can you please be so kind as to either fix the link with a working one or post the current plug-in on a new page?

I have tried compiling the Linux plugin myself, but having some problems achieving success, mostly with Boost & paths. I'm working to resolve that now.

I'm also working on the Mac plug-in, based on info posted to Matthias Kerstner's blog post regarding the Windows plug-in (that you directed me to look at). I just started that today and haven't progressed much yet.

Thanks.

Cheers,
Jon
Re: Sophos AV - why am I paying for this? [message #128545 is a reply to message #128442] Sat, 19 March 2016 03:56 Go to previous messageGo to next message
j.a.duke is currently offline  j.a.duke
Messages: 239
Registered: October 2006
Well, I've got a Linux plug-in working in 9.0.2 on my test CentOS 7 server, but am having a fair amount of trouble getting the Mac plug-in to compile.

If anyone out there would like to give me a hand on the Mac side, I'm more than happy to make that plug-in available to the community.

I'm planning on posting the Linux plug-in for download early next week once I've happy that it works as expected. The only reason for doing this is that Kerio hasn't fixed the download link to a working Linux plug-in.

If anyone would like to look over my make errors and help me figure out what needs fixing, please let me know and I can send along the PDF of errors.

Thanks.

Cheers,
Jon
Re: Sophos AV - why am I paying for this? [message #128765 is a reply to message #128442] Sat, 02 April 2016 23:14 Go to previous messageGo to next message
Pavel Dobry (Kerio) is currently offline  Pavel Dobry (Kerio)
Messages: 2057
Registered: October 2003
Location: Czech Republic
j.a.duke wrote on Thu, 10 March 2016 21:05

I've tried to download the plugin to which Pavel had linked on SamePage, but the link generates a 404 error.


New link to updated plug-in for 64-bit Linux.


Re: Sophos AV - why am I paying for this? [message #128767 is a reply to message #128765] Sun, 03 April 2016 02:40 Go to previous message
j.a.duke is currently offline  j.a.duke
Messages: 239
Registered: October 2006
Pavel Dobry (Kerio) wrote on Sat, 02 April 2016 17:14
j.a.duke wrote on Thu, 10 March 2016 21:05

I've tried to download the plugin to which Pavel had linked on SamePage, but the link generates a 404 error.


New link to updated plug-in for 64-bit Linux.


Pavel,

Thank you very much for the updated plugin.

Cheers,
Jon
Previous Topic: Manually zipping emails to archive
Next Topic: Authenticate users to AD from DMZ
Goto Forum:
  


Current Time: Wed Mar 22 03:36:59 CET 2023

Total time taken to generate the page: 0.03976 seconds