1 (edited by rinze 2020-09-04 15:22:38)

Topic: Amavis does not detect virus/trojan horse

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.1 MARIADB edition.
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version:  CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

One of my customer complains about the fact that he received trojan horses in his e-mail.
His desktop antivirus has found the trojan horse.
/var/log/maillog says this about one of the e-mails:

Sep  1 20:30:51 mail02 amavis[26531]: (26531-10) Passed CLEAN {RelayedInbound}, [212.76.85.90]:59518 [31.166.126.163] <w.ibrahim@al-bustan.net> -> <client-email>, Queue-ID: 4BgwcR09jVzMvf2W, Message-ID: <CE8596ACA3E54B7FBE73DF53DB39F611.MAI@sw16.saharanet.com>, mail_id: RyLsHW1-pZTd, Hits: 0.103, size: 251574, queued_as: 4BgwcW11SGzMsRZT, 1961 ms, Tests: [HTML_MESSAGE=0.001,MIME_HTML_ONLY=0.1,SPF_HELO_NONE=0.001,SPF_NONE=0.001]
Sep  1 20:30:51 mail02 amavis[26531]: (26531-10) Passed CLEAN, <w.ibrahim@al-bustan.net> -> <client-email>, Hits: 0.103, tag=2, tag2=6.2, kill=6.9, queued_as: 4BgwcW11SGzMsRZT, L/0/0/0

Running clamscan manual over the file (clamscan --scan-mail=yes --phishing-sigs=yes --phishing-scan-urls=yes --heuristic-alerts=yes <file>), this is the output:

/var/vmail/vmail1/domain/path-to/Maildir/.Trash/cur/1598985051.M249203P702.mailserverFQDN,S=248925,W=252182:2,Sac: Doc.Downloader.Emotet-9621083-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8793853
Engine version: 0.102.4
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.01 MB
Data read: 0.23 MB (ratio 0.05:1)
Time: 20.838 sec (0 m 20 s)

Why does amavis not take care of this threat?

2

Re: Amavis does not detect virus/trojan horse

Please show me output of commands below:

grep 'bypass_virus_checks_maps' /etc/amavisd/amavisd.conf

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: Amavis does not detect virus/trojan horse

This is the output:

# grep 'bypass_virus_checks_maps' /etc/amavisd/amavisd.conf
@bypass_virus_checks_maps = (0);
    #bypass_virus_checks_maps => [1],   # don't check virus
    bypass_virus_checks_maps => [1],    # don't check virus
    bypass_virus_checks_maps => [1],
    bypass_virus_checks_maps => [1],

4

Re: Amavis does not detect virus/trojan horse

For what it's worth, my 1.3.1 system returns the same output.

rinze wrote:

This is the output:

# grep 'bypass_virus_checks_maps' /etc/amavisd/amavisd.conf
@bypass_virus_checks_maps = (0);
    #bypass_virus_checks_maps => [1],   # don't check virus
    bypass_virus_checks_maps => [1],    # don't check virus
    bypass_virus_checks_maps => [1],
    bypass_virus_checks_maps => [1],

5

Re: Amavis does not detect virus/trojan horse

I would also like to know if this is correct.

6

Re: Amavis does not detect virus/trojan horse

Not sure why Amavisd got different scan result with clamav socket and clamscan command. sad

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

7

Re: Amavis does not detect virus/trojan horse

Is there some location where we can config the way emails get scanned?
More of my clients start complaining that they're receiving infected documents in emails.
Can I forward you such an email for example, so that you can test for yourself?

8 (edited by ramiroec 2020-09-19 01:08:51)

Re: Amavis does not detect virus/trojan horse

Today more virus are detected by clamav, mail.log:

Sep 18 13:03:03 correo amavis[6441]: (06441-04) Blocked INFECTED (Doc.Dropper.Emotet-9761056-0) {DiscardedInbound,Quarantined}, [x.x.x.x]:33189 [x.x.x.x] <sysop@rieder.net.py> -> , quarantine: SeFJFbLTEcWE, Queue-ID: CF365800061, Message-ID: <ae6e44995ec0022088c1fb74fc36c422@rieder.xxx.xx>, mail_id: SeFJFbLTEcWE, Hits: -, size: 216612, 104 ms
Sep 18 13:03:03 correo postfix/amavis/smtp[8688]: CF365800061: to=<@agc.xxx.xx>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.32, delays=0.2/0/0/0.11, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=06441-04 - INFECTED: Doc.Dropper.Emotet-9761056-0)

9

Re: Amavis does not detect virus/trojan horse

ramiroec wrote:

Today more virus are detected by clamav, mail.log:

Sep 18 13:03:03 correo amavis[6441]: (06441-04) Blocked INFECTED (Doc.Dropper.Emotet-9761056-0) {DiscardedInbound,Quarantined}, [x.x.x.x]:33189 [x.x.x.x] <sysop@rieder.net.py> -> , quarantine: SeFJFbLTEcWE, Queue-ID: CF365800061, Message-ID: <ae6e44995ec0022088c1fb74fc36c422@rieder.xxx.xx>, mail_id: SeFJFbLTEcWE, Hits: -, size: 216612, 104 ms
Sep 18 13:03:03 correo postfix/amavis/smtp[8688]: CF365800061: to=<@agc.xxx.xx>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.32, delays=0.2/0/0/0.11, dsn=2.7.0, status=sent (250 2.7.0 Ok, discarded, id=06441-04 - INFECTED: Doc.Dropper.Emotet-9761056-0)

Have you changed any settings?

10

Re: Amavis does not detect virus/trojan horse

How kind of virus? Is it Microsoft Word document?

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

11

Re: Amavis does not detect virus/trojan horse

In my case it was an Office document, containing scripts which would download the actual malware.

12

Re: Amavis does not detect virus/trojan horse

Make sure you have parameters below in clamav config file:

ScanOLE2 true
OLE2BlockMacros true

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

13

Re: Amavis does not detect virus/trojan horse

ZhangHuangbin wrote:

Make sure you have parameters below in clamav config file:

ScanOLE2 true
OLE2BlockMacros true

I've checked the file /etc/clamd.d/scan.conf and it seems that ScanOLE2 is automatically scanned for already (Default value)

# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanOLE2 yes

OLE2BlockMacros is not part of the scan.conf file?

14

Re: Amavis does not detect virus/trojan horse

rinze wrote:

OLE2BlockMacros is not part of the scan.conf file?

add it manually please.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

15

Re: Amavis does not detect virus/trojan horse

I've added the setting.
How can I check if the setting is working?