, Johann Schmitz

For some time now, i used a standard AMAVis setup with ClamAV and F-Prot as virus scanner for all the mails server i administer. But with the recent waves of infected mails spreading Locky and similiar payload, this wasn't sufficient anymore: The time until new definitions are available is just to long to catch enough mails.

So i have written AmavisVT, a virus scanner using the Virustotal API API to identify infected mails. When AmavisVT scans a mail, it computes the hash of the mime parts and sends them to the file scan report API endpoint. Based on the result the mail will be flagged as infected.

In the last few month, AmavisVT has caught thousands of infected mails based on over 4000 unique hashes for me. Please note that AmavisVT isn't a silver bullet when it comes to detection rate: if an infected mime part of a mail isn't scanned in Virustotal yet, the mail won't be marked as infected. So you will most likely miss the start of a new wave and deliver infected mails to your users. However, the time until new samples are scanned (and flagged by scanners) in Virustotal are good enough for me to have AmavisVT deployed along the other scanners on all my mail servers.