Virus scanning not working at all.

14 posts / 0 new
Last post
#1 Fri, 07/06/2007 - 19:44
MedWheel

Virus scanning not working at all.

Hello again,

I'm running VM 3.42 (Saw that 3.43 will be out soon) and after a brief virus stunt I decided to check the server to make sure Postfix wasn't passing them through. I logged on to the webmail interface and sent myself an attachment including the eicar test string virus. To my surprise I received it... I rechecked the configuration and virus scanning was enabled there, so now I'm at a little bit of a loss. My first thought was to go look up a guide on how to enable clamAV scanning with Postfix but I thought the forums here would be a better place to start.

Is there anything I can do/check on the server before I dig in to another hole and possibly muck things up?

Thanks, Erik

Fri, 07/06/2007 - 23:16
Joe
Joe's picture

Hey Erik,

What's in the maillog when you send yourself a message? Is it being processed via procmail, or delivered directly?

Just searching for clamav+postfix isn't going to be terribly useful, as there are dozens of ways to configure it (three or four good ones, and twice that many bizarre and overly complex ways), and our way probably isn't the most popular (but it is extremely flexible, and has relatively good performance). So, your instincts to ask here are spot on. ;-)

--

Check out the forum guidelines!

Sat, 07/07/2007 - 01:10 (Reply to #2)
MedWheel

Looks like procmail, from the log: (delivered to command: /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME)

Mon, 07/09/2007 - 21:57 (Reply to #3)
MedWheel

Update: It appears that virtualmin is not adding the entries when it says it is. I enabled virus/spam scanning, then removed it and below is my outcome. Spam scanning on the other hand is working great, just not the virus stuff. Can you point me in the right direction for creating the rules manually, or even better and point me to something that will enable scanning on a global level?

[code:1]Turning off spam filtering ..
.. done
Turning off virus filtering ..
.. Procmail entry not found.
Updating Webmin user ..
.. done
Saving server details ..
.. done
Re-loading Webmin ..
.. done
[/code:1]

Tue, 07/10/2007 - 20:20 (Reply to #4)
Joe
Joe's picture

Hey Erik,

Sorry for the slow reply. Been offline all weekend due to Google WiFi being down (and ComCast won't install cable on the weekend either).

Looks like a bug. I'll ask Jamie to check up on this thread.

BTW-Does the problem persist in 3.43 after a disable/enable cycle? (I don't think there were any procmail/clam/spam changes in 3.43, but it may be something that has been fixed since your account was created.)

--

Check out the forum guidelines!

Tue, 07/10/2007 - 21:41 (Reply to #5)
MedWheel

Hi Joe thanks for the reply,

No worries on the slow replies, I'm getting them and thats all I really care about. :)

I've got version 3.42 still, did you release 3.43 pro yet? I'm not seeing it in my update list.

But yes, in 3.42 I did try about 5 times toggling the filtering on and off. The result was that above. I also dug around the server and found where all the domains procmail configurations live and compared the broken domain with one I know to be working via the test virus. Both looked identical. My next step would be to copy the working domains promail file to the other, but I wanted to wait for you before I started overwriting files.

The domain that's having problems is our largest with 600+ email boxes, would that be part of the problem? I've tried both ways to configure it as well, per server and per box and both give the same results.

Wed, 07/11/2007 - 23:34 (Reply to #6)
MedWheel

Hey Jamie,

After fooling with everything I believe I've got it working. Something I hadn't tried before was toggling the configuration of the scanner from the standalone to the server setting making it use clamdscan, I verified that via the domain procmail file. Previously I was toggling this setting in the system configuration for Virtualmin and not the actual domain so I don't think it was doing me any good.

I did your tests and clamdscan was the faster of the two, I think that is where my problem was as well. Using the standalone clamscan for scanning that many boxes must have been to much for it to handle so it was passing some through. Who knows.

Thank you both for your help and the education on the procmail portion of Virtualmin.

Cheers,
Erik

Thu, 08/30/2007 - 02:23 (Reply to #7)
jpenix

Wait, you say that you can update the clamscan/clamdscan choice for multiple domains using the Update Selected functionality on the List Virtual Servers page?? How?

I tried to do this but the clamdscan option doesn't appear anywhere on the list.

Thu, 08/30/2007 - 02:39 (Reply to #8)
Joe
Joe's picture

Oops, I was incorrect .. even though it would make sense, I haven't implemented that function yet!

The other way to do it is from the command line. Login as root, and run :

/usr/libexec/webmin/virtual-server/modify-spam.pl --all-domains --use-clamdscan

--

Check out the forum guidelines!

Tue, 07/10/2007 - 22:13
Joe
Joe's picture

Hi Erik,

I can think of a couple of things to check :

1) In the /etc/webmin/virtual-server/procmail directory, there is one file for each domain which is named based on the domain's ID (a number like 11730502021324). If you look at the file for the problem domain, does it have a call to clamscan in it?

2) Is clamscan or clamdscan actually working? Find out which command is being used in that file, and then run :

clamscan - </etc/hosts

It should report no viruses found. Then save off a virus-laden email to a file, and try running clamscan or clamdscan on that file too.

Also, the message about no virus filtering procmail entry being found is not a problem - it just means that it was already removed when the SpamAssassin procmail entries were.

--

Check out the forum guidelines!

Wed, 07/11/2007 - 23:41
Joe
Joe's picture

Yeah, I definately recommend the use of clamdscan where possible - it is so much faster and easier on RAM usage. Once you have clamd running, Virtualmin can switch to it on a per-domain basis using the Spam and Virus Delivery page linked from the left menu. Or you can update all domains at once using the List Virtual Servers page and the Update Selected button.

The default for new domains can be set on the Module Config page in the Spam filtering options section.

--

Check out the forum guidelines!

Thu, 08/30/2007 - 02:58
jpenix

Hah, command line is even better! That's beautiful, I had no idea that option was there. Thanks.

Thu, 08/30/2007 - 10:33 (Reply to #12)
Joe
Joe's picture

<div class='quote'>Hah, command line is even better!</div>

Note that <i>everything</i> in the UI is available from the command line and remote APIs (mobile, too!). Jamie's crazy with the multiple interfaces.

--

Check out the forum guidelines!

Thu, 08/30/2007 - 18:42
Joe
Joe's picture

Oh, and the next release of Virtualmin (3.46) will include an option on the mass domain updates page to change the virus scanner.

--

Check out the forum guidelines!