SpamBlocker 4.1 and ClamAV

[LawsHosting]

Since a server's drive crashed, I'm nearly complete..... However, I have ClamAV installed, and when email is received, the exim logs state the clamd.sock:

malware acl condition: clamd: unable to connect to UNIX socket /var/run/clamd/clamd.sock (Permission denied)

# ls -l /var/run/clamd/

-rw-rw-r-- 1 root root 5 Jul 4 20:43 clamd.pid
srw-rw-rw- 1 root root 0 Jul 4 20:43 clamd.sock
-rw-rw---- 1 clamav clamav 4 Jul 4 19:10 freshclam.pid

Because it's owned by root?

What is the correct setting:

av_scanner = clamd:/var/run/clamd/clamd.sock

or

av_scanner = clamd:/var/run/clamd/clamd.sock:127.0.0.1 3310

The later worked pre-drive crash.

Thanks

 

[LawsHosting]

I know no-one probably hasn't encountered this issue, but will really like to know if the av_scanner directive should be socket:iport or just socket.

Thanks.


NB. ClamAV was installed with CB1.2

 

[Arieh]

Using CB 2.0, it created this for me

av_scanner = clamd:127.0.0.1 3310

It also says this on http://help.directadmin.com/item.php?id=370

 

[LawsHosting]

Ok, I'll try that when server is less busy.

Although there seems to conflicting statements, SB4.+ states the socket while that help article states iport

 

[SeLLeRoNe]

I do have this in SB4.1

#EDIT#2-CLAMAV:
av_scanner = clamd:127.0.0.1 3310


Regards

 

[LawsHosting]

Working now

1Uvzc1-0007Js-CU H=xxxxxx.laws-hosting.co.uk ([127.0.0.1]) [] F=<[email protected]> rejected after DATA: This message contains a virus or other harmful content (virus_in_message:Sanesecurity.TestSig_Type3_Bdy.4.UNOFFICIAL)

 

[nobaloney]

The code you need obviously depends on how ClamAV is installed. When I wrote SpamBlocker4 there wasn't any standard. There is now, and in the future my code will be written to it.

Jeff

 

[zEitEr]

I know no-one probably hasn't encountered this issue, but will really like to know if the av_scanner directive should be socket:iport or just socket.

As far as I know it depends on whether you install ClamAv with custombuild or from package system of your OS. In some cases you've got a socket used by default in another cases TCP port.

The custombuild script has the following code:

                perl -pi -e 's|Example|#Example|' /etc/clamd.conf
                perl -pi -e 's|#PidFile /var/run/clamd.pid|PidFile /var/run/clamd/clamd.pid|' /etc/clamd.conf
                perl -pi -e 's|#TCPSocket 3310|TCPSocket 3310|' /etc/clamd.conf
                perl -pi -e 's|#TCPAddr 127.0.0.1|TCPAddr 127.0.0.1|' /etc/clamd.conf
                perl -pi -e 's|#LocalSocket /tmp/clamd.socket|LocalSocket /tmp/clamd.socket|' /etc/clamd.conf

so it makes clamav to use sockets.

 

[LawsHosting]

so it makes clamav to use sockets.

That's what I thought, just maybe not for exim?

 

[SeLLeRoNe]

Well no, it make use both apparently

Regards

 

[SeLLeRoNe]

You can either use the socket, but the path you wrote in first post is wrong, the path looking at that code should be /tmp/clamd.socket

Regards

 

[LawsHosting]

You can either use the socket, but the path you wrote in first post is wrong, the path looking at that code should be /tmp/clamd.socket

If you see, I changed the "LocalSocket" to be in /var/run/clamd/, maybe that's why it complains then

 

[LawsHosting]

X-Antivirus-Scanner: Seems clean. You should still use an Antivirus Scanner
X-Antispam: clean, score=64
X-Antispam-Debug: 64,4,10726,,0,neutral,,0,fn,,0:0:0X-Antivirus: avast! (VPS 130709-2, 09/07/2013), Inbound message
X-Antivirus-Status: Infected
X-Attachment: Photo_10.07.2013_3636981038.zip#2558618164|>Photo_10.07.2013_7689054433.JPG.exe Virus: Win32:Evo-gen [Susp] Deleted

What, how did that get through as clean? ClamAV failing to scan zip files?

Found this http://community.spiceworks.com/topic/289185-clamav-not-scanning-zip-files


Edit:


ScanArchive yes was commented out but the default is YES (according to the man page).

 

[zEitEr]

And what is the size of the attachment?

 

[LawsHosting]

Avast swiped it instantly... If I get more, I'll use webmail to check.

 

[LawsHosting]

26k in size...

 

[zEitEr]

You might want to run this in a root shell:

exigrep MessageID /var/log/exim/mainlog

to get related lines from the logs. It might give some clues.

 

[LawsHosting]

nothing stands out

1UwqUV-0003Bs-Oy demime acl condition: base64 line contains illegal character1UwqUV-0003Bs-Oy <= sacramentowrq27 @ vodafone.co.uk H=(inetia.pl) [81.219.156.5] P=esmtp S=28530 [email protected] T="mms Wed, 10 Jul 2013 10:14:56 +0100" from <[email protected]> for sales@xxxx
1UwqUV-0003Bs-Oy => sales <sales@xxxx> F=<sacramentowrq27 @ vodafone.co.uk> R=spamcheck_director T=spamcheck S=28914
2013-07-10 10:15:18 1UwqUV-0003Bs-Oy Completed

 

[zEitEr]

That might be a clue, so you might need to google it, as I'm not sure why it happens:

demime acl condition: base64 line contains illegal character

 

[LawsHosting]

Well, a few results tell me that (it could be) a MIME issue:

I'm figuring that this virus (blah) has deliberately broken it's mime encoding and Exim has been unable to extract the file to pass to ClamAV. Does this sound right?

from http://lists.debian.org/debian-user/2004/08/msg00189.html

So, if the attachment has (deliberately) a broken mime, shouldn't Exim check that? If so, discard it? Of course, depends if the exim.conf has that check.