English
Chinese (Simplified)
French
German
Italian
Japanese
Russian
Spanish
Vietnamese
IKARUS AV - Software Critical Updates for All Users
-
I updated our Mdaemon with the patch released today.
After install Cyren is gone and IKARUS AV is now showing under AntiVirus.Intially after installin , IKARUS AV definition version was from year 2012. After 1 hour, definition version is now blank.
There is no option/button to update the definitions manually.
Any advise please? My concern is that IKARUS isn't doing anything. Luckily we have Symantec installed on the machine and it's catching the viruses ClamAV is not.
21.5.3 (last 32bit version)
-
Arron Staff
MDaemon ships with a very small and old set of virus definitions so the first thing it does it update. Depending on your internet connection that can take some time, but an hour seems like a really long time.
Is your firewall blocking outbound http traffic for updating?
Is your Symantec AV blocking the http traffic?
What does the \MDaemon\SecurityPlus\Ikarus\scan.server\log\global\splogfile.log show is happening?
What does the \MDaemon\SecurityPlus\Ikarus\scan.server\log\update\update.log show is happening?
Is the ScanServer service running?
-
[18.04.2023 16:12:27]info AktVersions: autoupdate: 1.14.0, scanserver_w32: 6.1.5.0, ikarust3: 6.1.10.0, t3vdb: 1
[18.04.2023 16:12:30]info NewVersions: autoupdate: 1.20.0, scanserver_w32: 6.1.14, ikarust3: 6.1.10, t3vdb: 105881
[18.04.2023 16:12:30]info Used update path 'http://updates.ikarus.at/cgi-bin/scanserver_w32.pl'
[18.04.2023 16:12:31]info Successfully downloaded 'http://mirrorcdn.mailsecurity.at/updates/scupdate_w32001020000.full'.
[18.04.2023 16:12:31]info Backed up previous version.
[18.04.2023 16:12:31]info Autoupdate successfully download, trying to replace 'scupdate.exe'.
[18.04.2023 16:12:31]info Autoupdate has been successfully replaced: 1.14.0 -> 1.20.0
[18.04.2023 16:20:28]info AktVersions: autoupdate: 1.20.0, scanserver_w32: 6.1.5.0, ikarust3: 6.1.10.0, t3vdb: 1
[18.04.2023 16:20:28]info NewVersions: autoupdate: 1.20.0, scanserver_w32: 6.1.14, ikarust3: 6.1.10, t3vdb: 105881
[18.04.2023 16:20:28]info Used update path 'http://updates.ikarus.at/cgi-bin/scanserver_w32.pl'
[18.04.2023 16:20:37]info Successfully downloaded 'http://mirrorcdn.mailsecurity.at/updates/t3sigs000105881.vdb'.
[18.04.2023 16:20:40]info T3-VDB has been completely replaced. VdbBuildNr: 105881
[18.04.2023 16:20:46]warn Failed the reload of vdb
[18.04.2023 17:08:47]info AktVersions: autoupdate: 1.20.0, scanserver_w32: 6.1.5.0, ikarust3: 6.1.10.0, t3vdb: 105881
[18.04.2023 17:08:47]info NewVersions: autoupdate: 1.20.0, scanserver_w32: 6.1.14, ikarust3: 6.1.10, t3vdb: 105881
[18.04.2023 17:08:47]info Used update path 'http://updates.ikarus.at/cgi-bin/scanserver_w32.pl'
[18.04.2023 17:08:47]warn Error downloading 'http://mirrorcdn.mailsecurity.at/updates/scanserver_w32006001014-006001005.diff' (download error:-12)
[18.04.2023 17:08:48]info Successfully downloaded 'http://mirrorcdn.mailsecurity.at/updates/scanserver_w32006001014.full'.
[18.04.2023 17:08:48]info Trying to replace VNr.: 6.1.5.0 -> 6.1.14
[18.04.2023 17:08:51]warn Cannot get service-pid, update might fail
[18.04.2023 17:08:51]warn Cannot access service-process, update might fail
[18.04.2023 17:08:53]info Files were backed up and the service stopped.
[18.04.2023 17:08:55]warn Failed to start service
[18.04.2023 17:08:55]info Product-binaries were downloaded and updated - VNr: 6.1.5.0 -> 6.1.14
-
I open COMMAND PROMPT as admin.
From C:\MDaemon\SecurityPlus\Ikarus\scan.server\bin\ I ran the command "scanserver -install"
It seemed to install the scanserver process. I then ran "scupdate -update" from the same folder.
The virus definition version is now 486899 date 2023-04-18 12:12:51
So a couple of questions:
- how do I know if it'll update now every 10 mins as per the blurb?
- how do i know if it is scanning emails?
- why no manual update button?
-
splogfile.log
[18.04.2023 16:11:37][22D4] Imported license file: C:\MDaemon\Queues\Temp\Ik5713.tmp
[18.04.2023 16:11:39][2110] Starting scanserver_w32 V6.01.05
[18.04.2023 16:11:39][1FF8] License check started
[18.04.2023 16:11:39][1FF8] License check finished
[18.04.2023 16:11:56][2110] Loaded T3 successfully!
[18.04.2023 16:11:56][2110] VDB: 22.11.2012 14:29:45 (1) T3: 6.1.10.0
[18.04.2023 16:11:56][25C4] License check started
[18.04.2023 16:11:56][25C4] License check finished
[18.04.2023 16:11:56][2110] Started server at ::3080 ::0
[18.04.2023 16:11:56][2110] Started server at ::3080
[18.04.2023 16:21:56][2320] Trying to start update.
[18.04.2023 16:21:56][2320] Starting update.
[18.04.2023 16:36:56][2320] Trying to start update.
[18.04.2023 16:36:56][2320] Starting update.
[18.04.2023 16:51:56][2320] Trying to start update.
[18.04.2023 16:51:56][2320] Starting update.
[18.04.2023 17:06:56][2320] Trying to start update.
[18.04.2023 17:06:56][2320] Starting update.
[18.04.2023 17:08:52][2254] service cmd 135
[18.04.2023 17:08:52][2254] Soft stop initiated
[18.04.2023 17:08:52][2110] Stopped server!
[18.04.2023 17:08:52][2110] Quitting!
[18.04.2023 17:50:45][26E0] Starting scanserver_w32 V6.01.14
[18.04.2023 17:50:45][24E8] License check started
[18.04.2023 17:50:45][24E8] License check finished
[18.04.2023 17:51:18][26E0] Loaded T3 successfully!
[18.04.2023 17:51:18][26E0] VDB: 18.04.2023 13:12:51 (105881) T3: 6.1.10.0
[18.04.2023 17:51:18][12D0] License check started
[18.04.2023 17:51:18][12D0] License check finished
[18.04.2023 17:51:18][15C4] Trying to start update.
[18.04.2023 17:51:18][15C4] Starting update.
[18.04.2023 17:51:18][26E0] Started server at ::3080 ::0
[18.04.2023 17:51:18][26E0] Started server at ::3080
[18.04.2023 17:56:18][15C4] Trying to start update.
[18.04.2023 17:56:18][15C4] Starting update.
[18.04.2023 18:01:18][15C4] Trying to start update.
[18.04.2023 18:01:18][15C4] Starting update.
-
Arron Staff
- how do I know if it'll update now every 10 mins as per the blurb?
You can check the update.log file in the \MDaemon\SecurityPlus\Ikarus\scan.server\log\update log directory. You should see activity approximately every 10 minutes, although there will not be an update available every time it checks.
- how do i know if it is scanning emails?
You can check the inbound SMTP, AntiVirus or Scanserver logs. The inbound SMTP log will look like this:
Tue 2023-04-18 13:02:35.214: Passing message through AntiVirus (Size: 51298)...
Tue 2023-04-18 13:02:35.250: * Message is clean (no viruses found) scanned by (IKARUS: clean (0.00225s)) (ClamAV: clean (0.02605s))
Tue 2023-04-18 13:02:35.250: ---- End AntiVirus resultsThe AntiVirus log will start like this:
Tue 2023-04-18 12:47:22.901: Start MDaemon AntiVirus results
Tue 2023-04-18 12:47:22.903: * IKARUS AV: clean (0.00162 s) C:\MDaemon\CFilter\TEMP\9922855\pd303589711.hdr
Tue 2023-04-18 12:47:22.906: * ClamAV: clean (0.00326 s) C:\MDaemon\CFilter\TEMP\9922855\pd303589711.hdrThe scanserver log can be found at \MDaemon\SecurityPlus\Ikarus\scan.server\log\scan\scanserver.log and will look like this:
[18.04.2023 13:06:23][16C0] {"crc64":12909240399817610421,"filetype":297,"filetype_name":"PKZIP archive","status":"clean","neg_type":"cached","num_items":1,"time":0,"input":"C:\\MDaemon\\CFilter\\TEMP\\9922855\\pd3026224401.att","client":"127.0.0.1"}
- why no manual update button?
The update AV signatures now button in the ClamAV updater section will actuall force clamAV and Ikarus to attempt an update. We didn't intend to have an update button at all for Ikarus since it checks every 10 minutes and you can actually manually trigger the update by running the EXE, but it was requested, so we added it to the button that was already there. There is more work that needs to be done in the AV Updater UI, but in the interest of time, we opted to leave it as is for now. More changes will be coming, but most likely the changes will be simplification of the UI not more features.
I'm glad its working for you now. Let us know if you have any other questions.
-
Hello @Stephen
Usually, I update MDaemon as soon as new version is released. But as this update addresses complete AV engine change and official notifications were pretty tightlipped about Cyren successor, I decided to wait until hearing from someone braver then me to go ahead with upgrade. So, thank you for sharing your experiences.
I was wondering about few things.
Luckily we have Symantec installed on the machine and it's catching the viruses
We too use Symantec (Endpoint Security to be exact). As per MDaemon recommendations, I've configured endpoint on a email server to exclude pretty much everything MDaemon related (traffic on all ports MDaemon uses, complete MDaemon folder, mail storage, public folders). The only way Symantec can "assist" with email protection is at the client endpoint(s).
Could you please share how you configured your protection, especially on email server itself.I know it is not that representative yet, it's been less then a day, but have you noticed any difference in virus discovery rate with Ikarus, compared to Cyren. As I never heard of Ikarus AV before I've Googled it and search results are, let's say, a mixed bag at best
Thank you
-
I can confirm that IKARUS AV appears to be updating as it should. Definition version has increased since yesterday and signature date updated to today.
IKARUS AV appears to be doing a much better job than Cyren AV - catching far more viruses/malware. So thumbs up from us.
@Aleksandar we have full SEP installed with only a small number of firewall exceptions.
-
Good to hear that Ikarus change seems to be working out
we have full SEP installed with only a small number of firewall exceptions.
How about file/folder exceptions? Have you configured any MDaemon related changes in Exceptions policies?
For example, have you left MSG file scans as allowed, or possibly complete mail storage folder (if not located under MDaemon)?
Is your SEP client allowed to scan MDaemon EXE files or, for example, App subfolder?
Thank you
-
Hi Aleksandar, we have no exceptions. Default installation with only a small number of firewall rules added. We couldn't rely on ClamAV or Cyren AV to catch all threats. So left SEP on the machine as a third AV.
SEP typically finds additional threats in our msg archive also, we have it doing a full scan of the archive twice daily.
-
Arron Staff
In our testing, we found Ikarus to be faster at scanning messages and it had better detection rates.
-
Thanks for the info Arron
While we are at the subject, reading "Running a non-MDaemon AntiVirus solution on the same machine as MDaemon" article and remembering recommendations received from MD support some time ago, I gather that MD AV(s) should be left solely in charge of everything MD related (MDaemon folder/subfolders, mail storage, public folders,...). All that should be excluded in the other AV, along with firewall exceptions for all of the protocols/ports used by MD, right?
So, for example, real-time scanning/auto protect for the Inbound queue would not be a good idea?
Is there anything other AV could do (MSG scanning-wise) and not interfere with MD AVs?
Thank you
-
Arron Staff
All that should be excluded in the other AV, along with firewall exceptions for all of the protocols/ports used by MD, right?
Yes. Scanning the protocols/ports is less likely to cause issues, but there can still be issues.
So, for example, real-time scanning/auto protect for the Inbound queue would not be a good idea?
Correct. Some people do it, but we do not reccomend it. It can lead to read/write errors, missing messages, and other unexpected behavior.
Is there anything other AV could do (MSG scanning-wise) and not interfere with MD AVs?
Not really, not without the potential of unexpected behavior.
-
Hello everyone
Updated to 23.0.1 two days ago. Click on "Update AV Signatures Now" forced Ikarus AV to update initial definitions to current at that time.
Since upgrade, according to MDaemon-2023-04-*-AntiVirus.log and [\MDaemon\SecurityPlus\Ikarus\scan.server\log\scan\]scanserver.log, Ikarus AV seem to be scanning everything no problem.
But, at this moment, definitions are still at April 19th, 6PM.
splogfile.log / update.log show everything is up-to-date[21.04.2023 14:04:15][0A98] Trying to start update.
[21.04.2023 14:04:15][0A98] Starting update.
[21.04.2023 14:04:16][0A98] Update: Everything is up to date[21.04.2023 14:04:15]info AktVersions: autoupdate: 1.20.0, scanserver_w64: 6.1.14.0, ikarust3_w64: 6.1.10.0, t3vdb: 105889
[21.04.2023 14:04:15]info NewVersions: autoupdate: 1.20.0, scanserver_w64: 6.1.14, ikarust3_w64: 6.1.10, t3vdb: 105889
[21.04.2023 14:04:15]info Used update path 'http://updates.ikarus.at/cgi-bin/scanserver_w64.pl'
Is it possible that Ikarus haven't released new definitions for a 2 days now, or is it just me?
Regards
-
Arron Staff
Based on your update log, it looks like it was installed today.
We have version 487919 on our server as well, but it wasn't downloaded until today.
What is the modified date/time of \MDaemon\SecurityPlus\Ikarus\scan.server\Ikarust3\t3sigs.vdb?
-
-
I've just seen in the updatelog.log:
[21.04.2023 14:44:25]info AktVersions: autoupdate: 1.20.0, scanserver_w64: 6.1.14.0, ikarust3_w64: 6.1.10.0, t3vdb: 105889
[21.04.2023 14:44:27]info NewVersions: autoupdate: 1.20.0, scanserver_w64: 6.1.14, ikarust3_w64: 6.1.10, t3vdb: 105890
[21.04.2023 14:44:27]info Used update path 'http://updates.ikarus.at/cgi-bin/scanserver_w64.pl'
[21.04.2023 14:44:27]info Successfully downloaded 'http://mirrorcdn.mailsecurity.at/updates/t3sigs000105890-000105889.diff'.
[21.04.2023 14:44:28]info Try to patch DB.
[21.04.2023 14:45:35]info T3-VDB has been patched: 105889 -> 105890
and AV Scanner Info in MD changed AV definitions version to 487940
But signature date remains the same!?
-
It seems to have something to do with RemoteAdmin, which I predominantly use.
In MD itself everything is displayed correctly
-
Arron Staff
Since my last message our server has updated to 487940. Has yours?
Has the Signature date changed in the UI? The change is not immediate, it can take up to 5 minutes and the UI needs to be closed and re-opened.
-
Arron Staff
Sorry, I missed that your screen shot was from Remote Administration. I can confirm that I'm seeing the same issue in Remote Administration and have submitted a bug on it for the developers to look at.
- 1 / 2
- 2
