This article applies to:

• Trustwave MailMarshal (SEG)
• Trustwave ECM/MailMarshal Exchange

Question:

How do Multiple Virus Scanners work with SEG or ECM?

Symptoms:

• I can't tell if all my virus scanners are working properly.
• I am using two antivirus scanners, but only one seems to be working.
• My AV scanners do not both seem to be working properly.

Procedure:

The process when running two virus scanners is not always obvious when you look at the log files. SEG or ECM uses the following process when scanning with more than one virus scanner:

• The product unpacks the message into its individual components into an Unpacking folder. The Unpacking folder then contains the original email message file (*.mml) and all the unpacked components, including header, body, and any objects extracted from zip or archive files.
• The first designated virus scanner, for example Sophos, scans the Unpacking folder for viruses.
• If the first scanner does not detect a virus, the second virus scanner scans the entire contents of the Unpacking folder.
• If either scanner detects a virus, the product now knows there is a virus, but cannot detect which component of the message is infected.
• To identify the infected component, both scanners scan each unpacked component of the message, starting with the highest-level component, the *.mml file.
• Both virus scanners scan each email component based on the order you specify the scanners in the Configurator. This allows SEG or ECM to determine exactly which component of the message is infected and take appropriate action.

Occasionally, a virus scanner is capable of detecting a virus in the *.mml file (i.e. the message in its raw format). This will occur if the virus scanner is capable of scanning email message files directly. This could explain why the second virus scanner in the list triggered, but the first one did not. The first scanner was unable to detect the virus directly in the *.mml file, but the second scanner did find the virus in the *.mml. The first scanner would have detected the virus when it scanned the unpacked, infected component. However, the second scanner detected the virus in the *.mml beforehand, the first scanner appears to have failed to detect the virus. This may lead you to believe there is a problem with the first virus scanner, when in fact there is not.

One example is scanning with both Sophos and McAfee antivirus products and detecting the BadTrans Virus. In this example, Sophos scans the Unpacking folder and detects a virus. SEG then calls Sophos to scan the *.mml file, but Sophos does not detect a virus in the *.mml file. SEG calls McAfee to scan the components. This product detects the virus in the *.mml file. The log reports McAfee detecting the virus, when in fact both scanners detected the virus, but the McAfee product identified the infected component first.

In another example, assume you are using Sophos and McAfee to detect the Eicar Test Virus supplied by SEG for testing purposes. In this example, Sophos scans the message and finds a virus. SEG then call Sophos to scan the *.mml file. Sophos does not detect a virus in the *.mml file. The McAfee product also does not detect the virus in the *.mml file. However, when Sophos scans the attached eicar.com file, Sophos detects the attached file that contains the virus. Therefore, the log file reports Sophos as finding the virus.
 
Many virus scanners cannot detect viruses in the *.mml file and depend on the calling application (SEG or ECM) to first unpack the email into its components before they can detect a virus.  Some virus scanners can detect some viruses in the *.mml format file, depending on the virus. Most scanners detect the viruses while scanning the individual message components. So, in most cases the first virus scanner in the list reports the virus, however, sometimes the second virus scanner reports the infected component first.

This article was previously published as:

NETIQKB29504