IKARUS AV - Software Critical Updates for All Users | MDaemon Technologies, Ltd.

IKARUS AV - Software Critical Updates for All Users


  • Great
    Thank you Arron


  • Posting this in case it helps someone else.  We block traffic to many countries outside of the US.  In our case, in order for MDaemon to download IKARUS updates, which is based in Austria, we had to add updates.ikarus.at to our Sonicwall firewall's Geo-IP exception list.  We also added www.ikarussecurity.com just so we could see their website to learn more about them.


  • [11.05.2023 09:09:44]info  T3-VDB has been patched: 105948 -> 105949

    Back again as we're still having issues with IKARUS. After the above update this morning, IKARUS crapped out again. I only noticed as we had a huge backlog in emails - all stuck in REMOTE queue Ended up having to run the command "scanserver -restart" again to get it back working.

    This is about the fifth time now I've had to run this command. Each time the AV service stopped after updating. I cannot see any pattern to the problem, it appears to be random looking at the logs.


  • Do you still have symantec configured to scan all of the MDaemon directories?  If you exclude all of the MDaemon directories from scanning in Symantec do you still have the same issue?


  • Hi Arron, yes I do thankfully. Symantec is still catching threats that ClamAV and IKARUS AV is not. I am not going to risk having no AV scanning incoming emails!! That would be negligent on my part.

    Can you please explain how and why having Symantec scanning those directories could be causing IKARUS AV service to stop? I can understand it may stop scanning, but to stop the service completely?

    And it cannot be a co-incidence that the AV services stops shortly after updating.

    Thanks, Stephen


  • Hi Stephen, 

    I don't know what is causing it. Two AV engines running on the same box, with one scanning the binaries of another seems like a very likely culprit.

    Can you please explain how and why having Symantec scanning those directories could be causing IKARUS AV service to stop?   

    Again, I do not know what is causing the issue, so this is all theoretical.

    The entire job of an AV engine such as Symantec is to detect and prevent threats.  It is possible that Symantec is detecting something that IKARUS is doing during the update process as a threat and preventing the action which is causing IKARUS to appear hung or maybe its preventing IKARUS from restarting itself after the update.     

    The easy way to figure this out, which also happens to be our reccomended configuration, is to Exclude the MDaemon directories from scanning.  

     


  • Ok thanks Arron.

    Unfortunately I cannot take that security risk at this moment, as the service isn't stable for us since the last update. I will leave as-is and put my own job in place to restart the IKARUS AV service until we move to O365.


  • We'd love to help you try to figure out what is causing the issue.  If you change your mind, let us know.


  • Thanks Arron. I wasn't having a dig at you. Our planned move to O365 is already in motion. Regards, Stephen


  • No worries. I'm sorry to hear that you are moving to O365.  


  • Hello

    Regarding previously discussed MDaemon & security software integration...
    We are using Symantec Endpoint Security software and have following specific policies in place for email server:
     1) firewall policy allowing incoming traffic for mdaemon.exe/worldclient.exe on ports [TCP] 25,53,80,110,143,366,443,465,587,993,995,1443,4069,8389 and [UDP] 53. Until recently we did not have any restrictions about specific connecting application, but as I haven't noticed any other MD related app having incoming connections those 2 were specified. Anything else should be excluded (for example webadmin.exe)?
     2) exclusion policy for \MDaemon, \MailStore and \PublicFolders folders (with sublolders)
    None of the Symantec components are allowed to "touch" any of these locations

    We use Hosted Security Gateway, but have people connecting from mobile devices from random locations.
    We operate mostly in Serbia and neighbouring countries, so Location Screening is ON for the most of the world ('SMTP port blocks AUTH only' is ON) and a lot of global IP pool blocked on the gateway as well. All of the other MDs security features are on. Both AV engines as well.

    And inspite all of that, I'm daily seeing reports like this one. Attempts, after attempts, after attempts
    Symantec Endpoint Security log

    Ikarus and especially ClamAV are just AntiVirus engines, right?
    They only scan file system? Files/folders, being temporary or permanent? Not doing anything about these, let's call them, hacking attempts?
    Is there something more that can be done to improve security in this regard?

    One more question, what exactly is included in Ikarus/ClamAV scans?
    \MDaemon\App, for example? Or just mail storage and CFilter/SecurityPlus/..?


    Regards


  • Anything else should be excluded (for example webadmin.exe)?

    If you are using MDaemon Remote Administration and want to allow connections from the internet, then yes you should add rules to allow traffic for webadmin.exe.  If you are using instant messaging you'll also want to all XMPP traffic, WCXMPPServer.exe.

    Ikarus and especially ClamAV are just AntiVirus engines, right?
    They only scan file system? Files/folders, being temporary or permanent?

    Ikarus and ClamAV in MDaemon are only scanning files that are processed by MDaemon.  For example, all messages received via SMTP, all files uploaded from webmail, all messages uploaded via IMAP.

    Is there something more that can be done to improve security in this regard?

    What would you like to see done?  The webserver will accept the requests and return the appropriate error response. 

     


  • What would you like to see done?  

    Ideally, to have security component(s) included with MDaemon handling its complete security. Network intrusions, scripting/exploit attempts,... as well as file processing.
    Dynamic Screening for these kinds of malicious events, Dynamic Block list for hosts attempting hacking around webmail authorization or blocking malicious access methods no matter where they are coming from.

    But my question was not if we can have something like that, rather what can I do more to use existing resources to enhance security. If you take a look at the log in my previous message, column DE, you can see that some of these attempts were allowed by Symantec agent. Those correspond to the 2 exclusion rules I've mentioned, so... it's my fault, not Symantecs.

    Perhaps defining exclusion rules more precisely/tightly? 
    - Allow incoming trafic (only) to MDaemon, WorldClient, WebAdmin, XMPP and WCXMPP apps on this and that port
    - AV scanning/realtime protection to exclude only folders processed by MDaemon and therefore protected by Ikarus/ClamAV. So not complete \MDaemon folder but rather (for example) subfolders CFilter\Quarant, CFilter\Temp, CFilter\Work, LockFiles, Queues, SecurityPlus\Ikarus\scan.server\tmp, SecurityPlus\ClamAVPlugin\temp, WebAdmin\Temp, WorldClient\Temp,...

    I don't know. I just have this feeling that some day one of these attempts will hit a "winning combination" and make my life really miserable.


  • - Allow incoming trafic (only) to MDaemon, WorldClient, WebAdmin, XMPP and WCXMPP apps on this and that port

    I'm happy to help define rules for your firewall.  Based on what you have already told us, it looks like you have a pretty good set of rules, however, there may be some minor tweaks that would help to improve security.

    Are there any services in MDaemon that are running and that you have ports open for that you are not using?  For example, XMPP, POP3, or Minger?  If not you are not using the service then don't allow the traffic on those ports and turn off the servers in MDaemon. This helps to reduce the attack surface.

    Is anyone using the IMAP and SMTP SSL Ports?  Typcally clients today favor the standard ports and using TLS so you may also be able to close the SSL specific ports. 

    Is the ODMR (366) port being used?  If it is being used to allow users to send mail on an alternate SMTP port, transition users to the MSA port (587).  You can't turn off ODMR in MDaemon, but you can stop allowing the traffice on that port at your firewall.  If you are not using at all, then don't allow the traffic from the firewall.

    But my question was not if we can have something like that, rather what can I do more to use existing resources to enhance security. 

    Enable password policies in MDaemon to force users to use strong passwords and force them to change their passwords.  If you are still using the option in MDaemon to store passwords in the userlist.dat file, turn on the option to store passwords securely. Accounts / Account Settings / Passwords, Store mailbox passwords using Non-Reversible Encryption.   

    Enable the option to check 3rd party databases for compromised passwords.   Accounts / Account Settings / Passwords, Do not allow passwords found in third party compromised password lists. 

    Use App Passwords. 

    If users are using webmail, force them to use two factor authentication.

    If you do not have a need for Remote Administration access from the internet, close the ports at the firewall and only allow traffic from the LAN to Remote Administration.  If you want to allow Remote Administration access from the internet, restrict user access as much as possible and force all Administrators  to use 2 factor authentication.

    Force the use of SSL and TLS all the time.  

    - AV scanning/realtime protection to exclude only folders processed by MDaemon and therefore protected by Ikarus/ClamAV. So not complete \MDaemon folder but rather (for example) subfolders

     We reccomend excluding the entire MDaemon directory structure.  MDaemon expects to have full control of all files in its directory structure, even the EXEs and DLLS. If you don't, it can result in unexpected behavior. For example, if you have a 3rd party AV engine scanning and it decides something that MDaemon.exe is doing looks malicious, it might stop the process and quarantine the EXE, which will ultimately result in your mail server not functioning.  If the 3rd party AV engine tries to quarantine the IKARUS EXE or DLL after IKARUS has updated itself and prevents MDaemon from starting its AV scanning, you could be left with a running mail server that can't process any mail. 

     

     


  • Are there any services in MDaemon that are running and that you have ports open for that you are not using?

    XMPP and Minger, POP3 is on its way out, but couple of old clients are still using it. RemoteAdmin is on 1443.

    Is anyone using the IMAP and SMTP SSL Ports?

    Yes, small percentage of users. Thunderbird forces these ports (465/993) for SSL/TLS connection security, I've been told.

    Is the ODMR (366) port being used?

    No

    Enable password policies in MDaemon to force users to use strong passwords...

    Done, by syncing with AD

    If users are using webmail, force them to use two factor authentication

    Cannot do this, this would get me cancelled 😬
    But the rest of these are implemented

    We recommend excluding the entire MDaemon directory structure

    Yes, Symantec endpoint on the email server has been setup that way

    From my answers, I guess, I could remove couple of exempted ports (366, 4068 and 8389) and try to implement 2FA for webmail.
    The problem is, that would not change anything regarding most (if not all) of the attempts in the picture above. If you look at it more closely, first column (CM) -> Destination port, it is 25 or 80 or 443, nothing else. And I cannot block 80/443.
    Attempts are being made using different techniques, various connection URLs/paths. Non-firewall Symantec components sometimes recognizes them as malicious and blocks, even though they have been made using excluded port.
    Sometimes it doesn't. This is what I'm worried about.


  • You are correct, it would not change anything in regards to the requests being logged by your firewall, but it will make your server more secure. Even if those requests are allowed through your firewall though, the webserver will accept them and respond with the correct HTTP error.  Have you looked at IIS to see if it will allow you the extra control you are looking for?


  • Have you looked at IIS

    Not for a while.
    Quite a few MD versions ago we were looking into that, but (don't really remember why) decided not to implement.
    Looking into Web Server Exclusions page, I see that MS requires quite a few exclusions as well, including complete wwwroot folder. Looks to me like substituting one set of issues with another. Combined with "not supported by MD Support Team" note on your KB page, does not promising to me.
    Do you think switching to IIS would make worthwile difference?


  • Running under IIS definitely gives you more control, but with more control comes the possibility of more issues.  IIS does have the abilty to disallow certain requests so you would be able detect the requests and disallow them, but you would have to create the rules.  

    It would also allow you to run Remote Administration and Webmail on the same ports, so you could close the Remote Administration reports on the firewall. 

    Whether its worth the extra effort, I'm not sure.  


  • 1
  • 2 / 2
Please login to reply this topic!