Manually Scanning for Viruses
Recently, we have been hit with a large amount of viruses that have not been detected by clam. However, they are now reported. So, would it be possible to rescan the entire message database overnight with clam? That is: /opt/store.
I want to get rid of any residual viruses that got past our filter because people are still opening week-old emails and getting infected.
Here's what I found when I ran the following:
Here's a snippet of what was found:
./clamscan -r -i -d /opt/zimbra/data/clamav/db /opt/zimbra/store/*
Would it cause corruption if I had clamscan just remove the infected messages? Anyone have experience with this? :)
/opt/zimbra/store/0/17/msg/3/13127-17639.msg: Email.Phishing.RB-3469 FOUND
/opt/zimbra/store/0/17/msg/3/12961-17451.msg: Email.Phishing.RB-3469 FOUND
/opt/zimbra/store/0/17/msg/3/13687-18288.msg: Trojan.Downloader.Agent-1297 FOUND
/opt/zimbra/store/0/17/msg/3/12776-17248.msg: Email.Phishing.Bank-72 FOUND
/opt/zimbra/store/0/17/msg/3/13757-18365.msg: Trojan.Downloader.Agent-1298 FOUND
/opt/zimbra/store/0/17/msg/3/13235-17757.msg: Trojan.Agent-57252 FOUND
One other question: Does anyone know how to find out what virus definitions that clam is using to scan the incoming emails with?
When I type zmclamdctl status, it gives no output.
One additional thing to note: I upgraded to 0.94.1 and pointed the symlink "clamav" to the directory that I placed in /opt/zimbra.
[SOLVED] Manually Scanning for Viruses
I know this is drudging up an old thread; however, I actually answered my own question by writing my own code to accomplish this. I wanted to share it in case others could benefit from it. See below for a simple script that scans the mail store and removes any infected messages (this is a manual process that must be run either through SSH, a cron job, or something similar). I didn't throw in a bunch of variables so if your store is NOT in ~/store/0/ (as zimbra user) or if something doesn't match your particular configuration, then you will need to modify/adjust script as necessary.
This script will automatically bypass the virus store db (since we know there are viruses there) and any archive accounts assuming they end in .archive (just in case...users shouldn't have access anyway). It will also output the results to stdout (console screen, log file, etc).
I placed the following code in a file called virusremovestore.sh (give it +x with chmod) and in a particular folder where I keep all my scripts (e.g. you could mkdir cyberdeath in /opt/zimbra and place the file in there). You are free to place it wherever you'd like so long as it is accessible by the zimbra user.
On a final note, I wanted to mention that I still haven't implemented a new anti-virus solution that will directly integrate with Zimbra. However, I have spoken with a couple A/V vendors who say they are compatible with postfix (Symantec & Kaspersky).
echo "Freshening up the anti-virus definitions"
echo "Scanning Mail Store for Viruses"
~/clamav/bin/clamscan --database ~/data/clamav/db/ --recursive=yes --infected ~/store/0/ | while IFS=/ read root opt zimbra store messagestore storeid msg folder messageid virusname found
uid=`mysql -NBe "select comment from zimbra.mailbox where id='$storeid'"`
msgid=`echo $messageid | cut -d'-' -f1`
if [[ "$uid" == *.archive ]]; then
echo "Archive: Did not remove message $msgid from $uid"
elif [[ "$uid" == *virus*quarantine* ]]; then
echo "Skipping message $msgid in virus quarantine"
zmmailbox -z -m $uid dm $msgid
echo "Found and removed infected message $msgid from $uid"
If you have any questions or comments, please feel free.