1 Topic by srd2010

  • srd2010
  • Member
  • Offline
  • Registered: 2013-08-06
  • Posts: 37

Topic: amavis / ClamAV not detecting eicar - Mail passes with clean

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Debian 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
====

Hi,

we just ran into the situation, that amavis/clamav is not detecting an eicar attachment.
Checking the same file with clamd gives infected warning.

Here's a sample result from the mail.log:

Sep 23 17:39:05 mx amavis[3659]: (03659-08) run_av Using (ClamAV-clamd): (code) CONTSCAN /var/lib/amavis/tmp/amavis-20170923T173545-03659-R2GoIDFG/parts\n
Sep 23 17:39:05 mx amavis[3659]: (03659-08) get_deadline run_av_3 - deadline in 479.9 s, set to 336.000 s
Sep 23 17:39:05 mx amavis[3659]: (03659-08) prolong_timer run_av_3: timer 336, was 336, deadline in 479.9 s
Sep 23 17:39:05 mx amavis[3659]: (03659-08) run_av (ClamAV-clamd) result: /var/lib/amavis/tmp/amavis-20170923T173545-03659-R2GoIDFG/parts: OK\n
Sep 23 17:39:05 mx amavis[3659]: (03659-08) run_av (ClamAV-clamd): CLEAN
Sep 23 17:39:05 mx amavis[3659]: (03659-08) run_av (ClamAV-clamd) result: clean


Thanks for your help.

Greets,
Frank

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: amavis / ClamAV not detecting eicar - Mail passes with clean

Try this:

*) Append unofficial signature databases in /etc/clamav/freshclam.conf (file location may be different on your server)

DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_generic.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_filename.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_js.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_js.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_all.cdb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_all.ndb
DatabaseCustomURL http://ftp.swin.edu.au/sanesecurity/foxhole_mail.cdb

*) Run command 'freshclam'.
*) Restart clamav service.
*) Send one testing email with a eicar attachment. You can download a sample eicar file here: http://www.eicar.org/85-0-Download.html

3 Reply by srd2010

  • srd2010
  • Member
  • Offline
  • Registered: 2013-08-06
  • Posts: 37

Re: amavis / ClamAV not detecting eicar - Mail passes with clean

Hi Zhang,

thanks for your reply.

To me, this does not make any sense.

Why would clamd via Amavis report differently from clamd over shell.
It's the same server and file ?

Greets,
Frank

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: amavis / ClamAV not detecting eicar - Mail passes with clean

Amavisd connects to ClamAV socket by default, not calling clamscan from command line. this is the difference.
I suggest posting to Amavisd mailing list to figure out why it returns different result:
https://amavis.org/#support