Antivirus feature not working?

16 posts / 0 new
Last post
#1 Thu, 10/22/2015 - 02:35
netizen

Antivirus feature not working?

Hello,

I am using the GPL version and tried to test the antispam and antivirus features.
The antispam seems to be working as in the incoming messages I see this in the headers:
---
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on myhost.mydomain.com*
X-Spam-Level:
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_PASS,TVD_SPACE_RATIO autolearn=ham autolearn_force=no version=3.4.0
---
* real host name changed

In the 'Spam and Antivirus Settings' I have:
SpamAssassin Client Program : spamc

Virus Scanning Program: Server scanner (clamdscan)

In the Virtualmin Configuration I have set the viruses to be 'Deleted'.

Sending however the EICAR test virus string from a Gmail account, the recipient receives the email normally and there are no antivirus headers in the emails.

What I am doing wrong here?

Thu, 10/22/2015 - 19:46
Diabolico
Diabolico's picture

What I am doing wrong here? Nothing. To put it simple ClamAV is bad, almost useless and testing this software i find out that will not react on (too) many viruses. My advice is to google for something better or go for external service if you expect a lot of emails. If you do not expect large amount of emails then leave it as it is and have good AV installed on your PC.

You will be more secure if you are using RBLs like Spamhaus, Spamcop and Barracudacentral to prevent majority of bad/hacked IP or domains to even reach your email (set to reject not mark). Another good one is SORBS but they are little trigger happy to the point most of Gmail IPs are with their blacklist so maybe not good to use them.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sat, 10/24/2015 - 04:39 (Reply to #2)
netizen

So basically if this is the case I should disable the Antivirus feature for all domains right?

I have Centos7 and I think I am in the same boat as these guys here https://www.virtualmin.com/node/35862

..which is a matter of AV not working properly -under specific conditions-. I did manage for example to catch incoming EICAR (test virus) and the email was discarded (as it should per settings). After the server reboot however it was not working.... :/

Sat, 10/24/2015 - 06:15
Diabolico
Diabolico's picture

Well i would not disable as better something than nothing. There is another similar topic where i posted so please check here if this helps you in any way: http://www.virtualmin.com/node/38363.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sat, 10/24/2015 - 19:28
andreychek

ClamAV really should detect and delete viruses, including the eicar test virus.

I'll do some testing and see if I can reproduce the issue you're seeing.

-Eric

Sat, 10/24/2015 - 21:57
Diabolico
Diabolico's picture

@Eric: When i was testing ClamAV it was hit or miss including with EICAR. Some things would be detected but some of them no and if i remember right email containing EICAR was delivered without any problem.

Ok i just sent new test email with EICAR file and ClamAV didnt react. First time when i notice this was on Centos 6 and then Centos 7, in both instances i didnt change any settings regarding AV.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Mon, 10/26/2015 - 21:34
Diabolico
Diabolico's picture

@Eric is there any way how i can remove ClamAV and Spamassassin what comes with Vmin and then manually install Amavisd-new + ClamAV + Spamassassin? Will this work with Vmin or there could be a problem?

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Mon, 10/26/2015 - 22:23
andreychek

Noting that all this is without me testing it --

I have a suspicion that this could work... which distro/version are you using?

I'd imagine Amavis would be available in the repository for both Ubuntu and Debian.

You'd probably want to disable both ClamAV and SpamAssassin in the Virtualmin features, since that's something that Amavis can do, and would handle that prior to delivery.

I might suggest backing up your Postfix config prior to trying any of that, to make sure that none of that affects your email delivery (which should be done via procmail).

I feel like I should mention that you'd probably want to test that first on a non-live server, though I also suspect you know that :-)

-Eric

Tue, 10/27/2015 - 00:07
Diabolico
Diabolico's picture

OS: Centos 7

Amavis can be installed using EPEL (need to check this).

This part i'm not sure what to do - is it enough to just disable ClamAV and SA or i should uninstall them? I know how to remove both but i dont know how they are delivered and connected with Vmin. I could remove them both and then find Vmin with bunch of errors or even worst, the errors will pop-out at later stage when triggered with something else. I'm not sure if i could just install Amavis and then connect all 3 together, plus i think Amavis will automat. install SA.

Vmin is all the time on my test server (waiting to see new prices and compare with other CP) but my intention is to move to another provider as i'm not happy with current one. Here is the problem, i made so many (manual) changes in the system that once i get the new server i will go part by part and copy all the changes. It will save me quite some time if i know what to do with ClamAV and SA before i start this process on new server.

Something is not right with ClamAV shipped with Vmin and honestly was never working great, even before when i was testing on Centos 6. Now this topic just open old question and i would like to find an answer, is ClamAV so bad or is something wrong with ClamAV what comes with Vmin.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Wed, 10/28/2015 - 11:00
andreychek

I wouldn't suggest removing them, especially on CentOS. That could cause some dependency issues. If you no longer need them, I'd just disable them from starting up.

I'll do some testing though regarding ClamAV, as we hadn't received prior reports of issues. It could also be related to a particular ClamAV version, or a particular distro.

-Eric

Wed, 01/04/2017 - 07:39
gstlouis

has there been any progress on understanding why ClamAV is not scanning mail properly?

Wed, 01/04/2017 - 11:41
Diabolico
Diabolico's picture

Yes and no. I come to conclusion that ClamAV doesnt work properly and my previous statement "hit or miss" is still valid. My advice is:

Simple solution:

1.1) In main.cf add this:

### Reject virus spreading files
mime_header_checks = regexp:/etc/postfix/mime_header_checks

1.2) Create /etc/postfix/mime_header_checks file

1.3) Add to that file: /name=[^>]*.(ade|adp|app|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|dll|docm|dotm|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|isp|its|jar|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh1xml|msh2|msh2xml|mshxml|msi|msp|mst|ops|osd|pcd|pif|pl|plg|potm|ppam|ppsm|pptm|prf|prg|ps1|ps1xml|ps2|ps2xml|psc1|psc2|pst|reg|scf|scr|sct|shb|shs|sldm|tht|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|ws|wsc|wsf|wsh|xbap|xlam|xlsm|xltm|xnk)/ REJECT

What kind of files you will allow or not its up to you but if you are using email for normal communication you dont need any of this files. File type like .doc or .txt are allowed as you can see.

Payed solution (best):

Use external email service or external spam/virus checks like SpamExperts. This is the best solution to keep your system safe because this kind of services are quick to adapt and update their rules, but isnt free. Now if you wonder is it worth to pay or not depends on how much value have your business.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Thu, 01/05/2017 - 10:23 (Reply to #12)
7stars

maybe you mean "your customers' system..." ;-) it's really hard to infect your server by email content...unless you have internal LAN with specific privileges...sure, is possible that some of your customers start to send spam from your server, but you also have the rate limiting, may monitor the situation... you can suspend the account, warn the user and so on...

Thu, 01/05/2017 - 10:42
gstlouis

@Diabolico Thank you for your comments. I will try this when I can. This solution wouldn't catch any .exe (or other malicious exec) inside a .zip? I've started practicing sa-learn, sa-spam and ham and SA has started catching some spam... but one it never catches at the spam with an invoice.zip file that has malicious stuff.

Actually, I just did clamscan in my dovecot .spam folder and only reports 3 out of like a dozen of those zips that has malicious stuff...

I agree with paid service on a big client box. I'm just a nerd who wants to know how to efficiently use open sources services :)

Fri, 01/06/2017 - 00:27
Diabolico
Diabolico's picture

@gstlouis: There was a solution for postfix to check inside ZIP folders but no need for this. Actually i would add ZIP|RAR and other extensions for compressed files to my previous list. Just think for a second, who would send you such files? Do your job require to accept large files? I suppose not, so no real need to accept those files. I mean what difference will make if JPEG or TXT or DOC file is compressed or not.

Dont make your life more complicated than it already is. I would understand if you are running postfix for many clients on the same server but then you must pay for some external service, e.g. isnt anymore a choice but simply you must have something more professional than ClamAV.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sun, 01/08/2017 - 09:49
gstlouis

I agree. furthermore blocking compressed files still won't stop a virus infected file with an extension .pdf for example. I'm just surprised to see that SA and ClamAV not be as sufficient as I thought it would be. I have in my router with spamhaus blocklist weighing in and re-writting the subject [SPAM] and it catches everything! I thought SA out of the box had these in its file list but doesn't catch it. Doing the sa-learn however has started to work in catching stuff.