1 (edited by rinze 2020-09-04 15:22:38)

Topic: Amavis does not detect virus/trojan horse

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.1 MARIADB edition.
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version:  CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

One of my customer complains about the fact that he received trojan horses in his e-mail.
His desktop antivirus has found the trojan horse.
/var/log/maillog says this about one of the e-mails:

Sep  1 20:30:51 mail02 amavis[26531]: (26531-10) Passed CLEAN {RelayedInbound}, [212.76.85.90]:59518 [31.166.126.163] <w.ibrahim@al-bustan.net> -> <client-email>, Queue-ID: 4BgwcR09jVzMvf2W, Message-ID: <CE8596ACA3E54B7FBE73DF53DB39F611.MAI@sw16.saharanet.com>, mail_id: RyLsHW1-pZTd, Hits: 0.103, size: 251574, queued_as: 4BgwcW11SGzMsRZT, 1961 ms, Tests: [HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.1,SPF_HELO_NONE=0.001,SPF_NONE=0.001]
Sep  1 20:30:51 mail02 amavis[26531]: (26531-10) Passed CLEAN, <w.ibrahim@al-bustan.net> -> <client-email>, Hits: 0.103, tag=2, tag2=6.2, kill=6.9, queued_as: 4BgwcW11SGzMsRZT, L/0/0/0

Running clamscan manual over the file (clamscan --scan-mail=yes --phishing-sigs=yes --phishing-scan-urls=yes --heuristic-alerts=yes <file>), this is the output:

/var/vmail/vmail1/domain/path-to/Maildir/.Trash/cur/1598985051.M249203P702.mailserverFQDN,S=248925,W=252182:2,Sac: Doc.Downloader.Emotet-9621083-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8793853
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.01 MB
Data read: 0.23 MB (ratio 0.05:1)
Time: 20.838 sec (0 m 20 s)

Why does amavis not take care of this threat?

2

Re: Amavis does not detect virus/trojan horse

Please show me output of commands below:

grep 'bypass_virus_checks_maps' /etc/amavisd/amavisd.conf

----

Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee

3

Re: Amavis does not detect virus/trojan horse

This is the output:

# grep 'bypass_virus_checks_maps' /etc/amavisd/amavisd.conf
@bypass_virus_checks_maps = (0);
    #bypass_virus_checks_maps => [1],   # don't check virus
    bypass_virus_checks_maps => [1],    # don't check virus
    bypass_virus_checks_maps => [1],
    bypass_virus_checks_maps => [1],

4

Re: Amavis does not detect virus/trojan horse

For what it's worth, my 1.3.1 system returns the same output.

rinze wrote:

This is the output:

# grep 'bypass_virus_checks_maps' /etc/amavisd/amavisd.conf
@bypass_virus_checks_maps = (0);
    #bypass_virus_checks_maps => [1],   # don't check virus
    bypass_virus_checks_maps => [1],    # don't check virus
    bypass_virus_checks_maps => [1],
    bypass_virus_checks_maps => [1],

5

Re: Amavis does not detect virus/trojan horse

I would also like to know if this is correct.

6

Re: Amavis does not detect virus/trojan horse

Not sure why Amavisd got different scan result with clamav socket and clamscan command. sad

----

Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee

7

Re: Amavis does not detect virus/trojan horse

Is there some location where we can config the way emails get scanned?
More of my clients start complaining that they're receiving infected documents in emails.
Can I forward you such an email for example, so that you can test for yourself?

8 (edited by ramiroec 2020-09-19 01:08:51)

Re: Amavis does not detect virus/trojan horse

Today more virus are detected by clamav, mail.log:

Sep 18 13:03:03 correo amavis[6441]: (06441-04) Blocked INFECTED (Doc.Dropper.Emotet-9761056-0) {DiscardedInbound,Quarantined}, [x.x.x.x]:33189 [x.x.x.x] <sysop@rieder.net.py> -> , quarantine: SeFJFbLTEcWE, Queue-ID: CF365800061, Message-ID: <ae6e44995ec0022088c1fb74fc36c422@rieder.xxx.xx>, mail_id: SeFJFbLTEcWE, Hits: -, size: 216612, 104 ms
Sep 18 13:03:03 correo postfix/amavis/smtp[8688]: CF365800061: to=<@agc.xxx.xx>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.32, delays=0.2/0/0/0.11, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=06441-04 - INFECTED: Doc.Dropper.Emotet-9761056-0)

9

Re: Amavis does not detect virus/trojan horse

ramiroec wrote:

Today more virus are detected by clamav, mail.log:

Sep 18 13:03:03 correo amavis[6441]: (06441-04) Blocked INFECTED (Doc.Dropper.Emotet-9761056-0) {DiscardedInbound,Quarantined}, [x.x.x.x]:33189 [x.x.x.x] <sysop@rieder.net.py> -> , quarantine: SeFJFbLTEcWE, Queue-ID: CF365800061, Message-ID: <ae6e44995ec0022088c1fb74fc36c422@rieder.xxx.xx>, mail_id: SeFJFbLTEcWE, Hits: -, size: 216612, 104 ms
Sep 18 13:03:03 correo postfix/amavis/smtp[8688]: CF365800061: to=<@agc.xxx.xx>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.32, delays=0.2/0/0/0.11, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=06441-04 - INFECTED: Doc.Dropper.Emotet-9761056-0)

Have you changed any settings?

10

Re: Amavis does not detect virus/trojan horse

How kind of virus? Is it Microsoft Word document?

----

Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee

11

Re: Amavis does not detect virus/trojan horse

In my case it was an Office document, containing scripts which would download the actual malware.

12

Re: Amavis does not detect virus/trojan horse

Make sure you have parameters below in clamav config file:

ScanOLE2 true
OLE2BlockMacros true

----

Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee

13

Re: Amavis does not detect virus/trojan horse

ZhangHuangbin wrote:

Make sure you have parameters below in clamav config file:

ScanOLE2 true
OLE2BlockMacros true

I've checked the file /etc/clamd.d/scan.conf and it seems that ScanOLE2 is automatically scanned for already (Default value)

# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanOLE2 yes

OLE2BlockMacros is not part of the scan.conf file?

14

Re: Amavis does not detect virus/trojan horse

rinze wrote:

OLE2BlockMacros is not part of the scan.conf file?

add it manually please.

----

Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee

15

Re: Amavis does not detect virus/trojan horse

I've added the setting.
How can I check if the setting is working?

16

Re: Amavis does not detect virus/trojan horse

It does not seem to work:

Sep 29 07:39:49 mail02 postfix/postscreen[32240]: CONNECT from [209.114.133.142]:50909 to [185.189.183.75]:25
Sep 29 07:39:55 mail02 postfix/postscreen[32240]: PASS NEW [209.114.133.142]:50909
Sep 29 07:39:55 mail02 postfix/smtpd[32243]: connect from smtp.expedient.net[209.114.133.142]
Sep 29 07:39:55 mail02 postfix/smtpd[32243]: 4C0pB36hzNzMvbnf: client=smtp.expedient.net[209.114.133.142]
Sep 29 07:39:56 mail02 postfix/cleanup[32255]: 4C0pB36hzNzMvbnf: message-id=<>
Sep 29 07:39:56 mail02 postfix/qmgr[1720]: 4C0pB36hzNzMvbnf: from=<milton.r.blount@newmountolivet.org>, size=248354, nrcpt=1 (queue active)
Sep 29 07:39:56 mail02 postfix/smtpd[32243]: disconnect from smtp.expedient.net[209.114.133.142]
Sep 29 07:39:56 mail02 clamd[2667]: SelfCheck: Database status OK.
Sep 29 07:40:04 mail02 postfix/10025/smtpd[32277]: connect from mail02.myfqdn.nl[127.0.0.1]
Sep 29 07:40:04 mail02 postfix/10025/smtpd[32277]: 4C0pBD47S3zMvbng: client=mail02.myfqdn.nl[127.0.0.1]
Sep 29 07:40:04 mail02 postfix/cleanup[32255]: 4C0pBD47S3zMvbng: message-id=<4C0pBD47S3zMvbng@mail02.myfqdn.nl>
Sep 29 07:40:04 mail02 postfix/qmgr[1720]: 4C0pBD47S3zMvbng: from=<milton.r.blount@newmountolivet.org>, size=249262, nrcpt=1 (queue active)
Sep 29 07:40:04 mail02 postfix/10025/smtpd[32277]: disconnect from mail02.myfqdn.nl[127.0.0.1]
Sep 29 07:40:04 mail02 amavis[2676]: (02676-05) Passed CLEAN {RelayedInbound}, [209.114.133.142]:50909 [49.251.176.234] <milton.r.blount@newmountolivet.org> -> <client email>, Queue-ID: 4C0pB36hzNzMvbnf, mail_id: SaMMBeggX4qq, Hits: 2.773, size: 248354, queued_as: 4C0pBD47S3zMvbng, 8073 ms, Tests: [HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.1,MISSING_MID=0.14,RCVD_IN_BL_SPAMCOP_NET=1.246,RCVD_IN_RP_RNBL=1.284,SPF_HELO_NONE=0.001,SPF_NONE=0.001]
Sep 29 07:40:04 mail02 amavis[2676]: (02676-05) Passed CLEAN, <milton.r.blount@newmountolivet.org> -> <client email>, Hits: 2.773, tag=2, tag2=3.5, kill=6.9, queued_as: 4C0pBD47S3zMvbng, L/Y/0/0
Sep 29 07:40:04 mail02 postfix/amavis/smtp[32260]: 4C0pB36hzNzMvbnf: to=<client email>, relay=127.0.0.1[127.0.0.1]:10024, delay=8.9, delays=0.77/0.01/0/8.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4C0pBD47S3zMvbng)
Sep 29 07:40:04 mail02 postfix/qmgr[1720]: 4C0pB36hzNzMvbnf: removed
Sep 29 07:40:04 mail02 postfix/pipe[32278]: 4C0pBD47S3zMvbng: to=<client email>, relay=dovecot, delay=0.1, delays=0.02/0.03/0/0.04, dsn=2.0.0, status=sent (delivered via dovecot service)
Sep 29 07:40:04 mail02 postfix/qmgr[1720]: 4C0pBD47S3zMvbng: removed

Anti virus scan:

# clamscan --scan-mail=yes --phishing-sigs=yes --phishing-scan-urls=yes --heuristic-alerts=yes 1601358004.M653976P32279.mail02.myfqdn.nl\,S\=246102\,W\=249344\:2\,Sa

/var/vmail/vmail1/<client>/Maildir/.Trash/cur/1601358004.M653976P32279.mail02.myfqdn.nl,S=246102,W=249344:2,Sa: Doc.Malware.Generic-9769001-0 FOUND
/var/vmail/vmail1/<client>/Maildir/.Trash/cur/1601358004.M653976P32279.mail02.myfqdn.nl,S=246102,W=249344:2,Sa: Doc.Malware.Emotet-9768661-0 FOUND
/var/vmail/vmail1/<client>/Maildir/.Trash/cur/1601358004.M653976P32279.mail02.myfqdn.nl,S=246102,W=249344:2,Sa: Doc.Malware.Emotet-9768660-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8915349
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.23 MB (ratio 0.02:1)
Time: 25.035 sec (0 m 25 s)

17

Re: Amavis does not detect virus/trojan horse

Does restarting clamav service help?

----

Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee

18 (edited by rinze 2020-10-04 23:06:40)

Re: Amavis does not detect virus/trojan horse

ZhangHuangbin wrote:

Does restarting clamav service help?

No, it does not seem to help.
After editting the settings, I've restarted the clamav service, but it doesn't help. sad

19

Re: Amavis does not detect virus/trojan horse

Any idea on how to proceed on this topic? Is there another place I can ask for help?

20

Re: Amavis does not detect virus/trojan horse

Did you try to add more clamav signature databases?

For example, add these lines in /etc/freshclam.conf (WARNING: adding more databases will require more RAM for ClamAV to handle them).

# Sanesecurity + Foxhole
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/junk.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/jurlbl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/phish.ndb
#DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/rogue.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sanesecurity.ftm
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/sigwhitelist.ign2
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/scam.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamimg.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/spamattach.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/blurl.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_js.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_js.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_all.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_all.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_mail.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malwarehash.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/hackingteam.hsb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/badmacro.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/shelter.ldb

# winnow
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_malware_links.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_phish_complete_url.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_extended_malware.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow.attachments.hdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/winnow_bad_cw.hdb

# Malware.expert
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/malware.expert.hdb

# bofhland
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_cracked_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_malware_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_phishing_URL.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/bofhland_malware_attach.hdb

# Porcupine
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/phishtank.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/porcupine.hsb

then run "freshclam" to download these new databases and restart/reload clamav.

----

Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee

21

Re: Amavis does not detect virus/trojan horse

I did not try that (yet), but is it needed while the manual scan does find the infected files?
I guess that the current signature databases are ok then, or am I thinking wrong?

22

Re: Amavis does not detect virus/trojan horse

ZhangHuangbin wrote:

Did you try to add more clamav signature databases?

For example, add these lines in /etc/freshclam.conf ...

Where do I add this while using WebEasy? I found files, but all say "Don't touch..."

Greetings,
Peter

23

Re: Amavis does not detect virus/trojan horse

p.schumacher wrote:

Where do I add this while using WebEasy? I found files, but all say "Don't touch..."

Add them to /etc/freshclam.conf or /etc/clamav/freshclam.conf.

If your server was deployed with iRedMail Easy platform (https://www.iredmail.org/easy.html), freshclam.conf will be re-generated each time the clamav config files are updated.

You can test these extra databases first, if it works for you, we can work out a solution to support such customization.

----

Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee