Clamav question

S

Strator

Verified User
Joined
Jan 19, 2011
Messages
239
Hi,

I have clamav and clamav-exim installed via Custombuild 2.0 but I am seeing a lot of viruses coming through anyway. Clamav seems to be up and running, but I'd at least I'd like to see if it's actually working when mails come in. The exim log says nothing about clamav, however, and turning on the logs in the clamav configuration file only seems to log operations like database updates, but not the actual virus checking.

Does anybody know how I can troubleshoot this? Thanks!
 
Are you sure you did also used ./build exim_conf after that (and be sure that the option is enabled in options.conf)?

If not, CB would not edit your exim.conf (or in this case rewrite it with latest version) with the needed modification for ClamAV integration.

If you dont want to use CB, you need to open /etc/exim.conf and edit the clamav (or clamd) related part manually.

Then restart exim :)

Regards
 
exim.conf has both...

.include_if_exists /etc/exim.clamav.load.conf

...and...

check_message:
.include_if_exists /etc/exim.clamav.conf
accept

...so I am assuming ClamAV integration is set up correctly?
 
It should be yes, the strange part so is that you are receiving viruses...

Check if clamav is running, check if is listening on the right port or via socket from configuration or with:
netstat -ant | grep 3310

Cause exim should use network port with: av_scanner = clamd:127.0.0.1 3310

Regards
 
tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN

So I guess it's listening just fine, and the critters coming through are so exotic that Clamav doesn't recogize them. Oh well. Thanks for helping out!
 
It's strange... a Virus should be noticed from the Antivirus since it update every day... are you sure you're not confusing with spam?

Regards
 
Mails with .doc and .xls attachments are viruses to me, but of course I didn't open them to take a look. :)
 
Well yes they should, but maybe was cleaned...

You should read the email header to search for this line:

X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

If this line is present, so clam have scanned the email and should be clean, if a virus is present the mail get refues, so check a valid mail header and check if you have this line.

Regards
 
Ah yes, that's a good idea. So the recent batch (four virus-loaded mails I recieved that made me start this thread) all have that line.

Just for the heck of it, I tried to save one of the attachments to my HD, and sure enough my home antivirus (Windows machine) intercepted it immediately. The payload is known as TrojanDownloader:O97M/Adnel, an MS Office macro virus - I received it Jan-15 and according to the Microsoft it was first detected on Dec-11.

So I guess that answers the following questions:

Is antivirus working on my server: YES
Is antivirus working well on my server: NO
 
Well the second had to be.. is antivirus up2date?

Try run freshclam to update your signature and check if is up2date or not, if not you're probably missing the related crontab, or crontab itself isnt working.

Regards
 
Freshclam is running as a service. I turned on logging now, but it seems to work just fine.

Turns out there as also an update from Clamav 0.98.4 -> 0.98.5 available. I ran that, may be that does the trick.
 
Hm, this makes no sense. This one came in just half an hour ago:

https://www.virustotal.com/en/file/...f5861cee657f9e1cce43bc2a7fed7d31e56/analysis/

EDIT: I misread the analysis. The green checkmark says that ClamAV does NOT recognize it. Which it doesn't.

To narrow the issue down, I've uploaded the virus I just got to the server, and scanned it manually. Here's the outcome:

clamscan -r -l scan.log /test
/test/fax#56357406.zip: OK

----------- SCAN SUMMARY -----------
Known viruses: 3733412
Engine version: 0.98.5
Scanned directories: 1
Scanned files: 1
Infected files: 0
Data scanned: 0.05 MB
Data read: 0.01 MB (ratio 6.00:1)
Time: 10.406 sec (0 m 10 s)
 
Last edited:
Here's the other one from Jan-15:

https://www.virustotal.com/en/file/...f211d8b57db447088e69d791b6f302b322d/analysis/

clamscan -r -l scan.log /test
/test/ADV4229ZH.doc: OK

----------- SCAN SUMMARY -----------
Known viruses: 3733412
Engine version: 0.98.5
Scanned directories: 1
Scanned files: 1
Infected files: 0
Data scanned: 0.07 MB
Data read: 0.04 MB (ratio 1.89:1)
Time: 9.219 sec (0 m 9 s)


So then I am taking it as confirmation that ClamAV is running and doing its best on my system - it's just sometimes not good enough. :rolleyes: EDIT: What you said.
 
I am exactly having same issue. Do you have have any suggestion? Any other tool to scan mails? My client sometimes having many zip files contatining js files.
 
You must log in or register to reply here.
Back
Top