Results 1 to 8 of 8

Thread: Manually Scanning for Viruses

  1. #1
    Join Date
    Jan 2008
    Location
    127.0.0.1, Virginia, USA
    Posts
    42
    Rep Power
    7

    Default Manually Scanning for Viruses

    Hello everyone,

    Recently, we have been hit with a large amount of viruses that have not been detected by clam. However, they are now reported. So, would it be possible to rescan the entire message database overnight with clam? That is: /opt/store.

    I want to get rid of any residual viruses that got past our filter because people are still opening week-old emails and getting infected.

    Here's what I found when I ran the following:
    Code:
    ./clamscan -r -i -d /opt/zimbra/data/clamav/db /opt/zimbra/store/*
    Here's a snippet of what was found:
    Code:
    /opt/zimbra/store/0/17/msg/3/13127-17639.msg: Email.Phishing.RB-3469 FOUND
    /opt/zimbra/store/0/17/msg/3/12961-17451.msg: Email.Phishing.RB-3469 FOUND
    /opt/zimbra/store/0/17/msg/3/13687-18288.msg: Trojan.Downloader.Agent-1297 FOUND
    /opt/zimbra/store/0/17/msg/3/12776-17248.msg: Email.Phishing.Bank-72 FOUND
    /opt/zimbra/store/0/17/msg/3/13757-18365.msg: Trojan.Downloader.Agent-1298 FOUND
    /opt/zimbra/store/0/17/msg/3/13235-17757.msg: Trojan.Agent-57252 FOUND
    Would it cause corruption if I had clamscan just remove the infected messages? Anyone have experience with this?

    One other question: Does anyone know how to find out what virus definitions that clam is using to scan the incoming emails with?
    When I type zmclamdctl status, it gives no output.

    One additional thing to note: I upgraded to 0.94.1 and pointed the symlink "clamav" to the directory that I placed in /opt/zimbra.
    Last edited by cyberdeath; 11-13-2008 at 08:38 AM.
    cyberdeath

  2. #2
    Join Date
    Jan 2008
    Location
    127.0.0.1, Virginia, USA
    Posts
    42
    Rep Power
    7

    Default Anti-Virus Not Working?

    I went and checked to see today how the anti-virus software was doing and it's rarely detecting a virus. I know without a doubt the number of viruses has increased yet it's detecting less. I know that I upgraded to the new Clam version thinking that would solve the problem. But, it has not. Anyone have any suggestions or insight on this? I would greatly appreciate it.
    cyberdeath

  3. #3
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    You could look at integrating a commercial AV scanner aswell into AmavisD. I would also recommend that you look at these third party signatures for Clam :- SaneSecurity

  4. #4
    Join Date
    Jan 2008
    Location
    127.0.0.1, Virginia, USA
    Posts
    42
    Rep Power
    7

    Default

    Well, I have considered that as well. But, I'm a bit curious as to why ClamAV isn't doing it's job. I've never had this problem before until recently. What prompted me was when I noticed that the database wasn't updating for whatever reason. That's when I upgraded the version of ClamAV. Would there be any reason why it would just stop updating? Also, upgrading ClamAV using the wiki should not cause any problems when upgrading zimbra later or with it properly scanning for viruses.

    And, finally, here's my big question. Can I scan and remove the messages (.msg files) that contain malware? In other words, would that cause db/mbox corruption? Is there a way I should tackle this?

    Thanks for the advice thus far .
    cyberdeath

  5. #5
    Join Date
    Jan 2008
    Location
    127.0.0.1, Virginia, USA
    Posts
    42
    Rep Power
    7

    Lightbulb [SOLVED] Manually Scanning for Viruses

    Hello everyone,

    I know this is drudging up an old thread; however, I actually answered my own question by writing my own code to accomplish this. I wanted to share it in case others could benefit from it. See below for a simple script that scans the mail store and removes any infected messages (this is a manual process that must be run either through SSH, a cron job, or something similar). I didn't throw in a bunch of variables so if your store is NOT in ~/store/0/ (as zimbra user) or if something doesn't match your particular configuration, then you will need to modify/adjust script as necessary.

    This script will automatically bypass the virus store db (since we know there are viruses there) and any archive accounts assuming they end in .archive (just in case...users shouldn't have access anyway). It will also output the results to stdout (console screen, log file, etc).

    I placed the following code in a file called virusremovestore.sh (give it +x with chmod) and in a particular folder where I keep all my scripts (e.g. you could mkdir cyberdeath in /opt/zimbra and place the file in there). You are free to place it wherever you'd like so long as it is accessible by the zimbra user.

    Code:
    #!/bin/bash
    
    old_IFS=$IFS
    
    echo "Freshening up the anti-virus definitions"
    
    /opt/zimbra/clamav/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.conf
    
    echo "Scanning Mail Store for Viruses"
    
    ~/clamav/bin/clamscan --database ~/data/clamav/db/ --recursive=yes --infected ~/store/0/ | while IFS=/ read root opt zimbra store messagestore storeid msg folder messageid virusname found
    do
      uid=`mysql -NBe "select comment from zimbra.mailbox where id='$storeid'"`
      msgid=`echo $messageid | cut -d'-' -f1`
      if [[ "$uid" == *.archive ]]; then
            echo "Archive: Did not remove message $msgid from $uid"
      elif [[ "$uid" == *virus*quarantine* ]]; then
            echo "Skipping message $msgid in virus quarantine"
      else
            zmmailbox -z -m $uid dm $msgid
            echo "Found and removed infected message $msgid from $uid"
      fi
    done
    
    IFS=$old_IFS
    On a final note, I wanted to mention that I still haven't implemented a new anti-virus solution that will directly integrate with Zimbra. However, I have spoken with a couple A/V vendors who say they are compatible with postfix (Symantec & Kaspersky).

    If you have any questions or comments, please feel free.
    cyberdeath

  6. #6
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    On a final note, I wanted to mention that I still haven't implemented a new anti-virus solution that will directly integrate with Zimbra. However, I have spoken with a couple A/V vendors who say they are compatible with postfix (Symantec & Kaspersky).
    Why not check AmaVISD and see which additional AV scanners it supports ?

  7. #7
    Join Date
    Jan 2008
    Location
    127.0.0.1, Virginia, USA
    Posts
    42
    Rep Power
    7

    Default

    Quote Originally Posted by uxbod View Post
    Why not check AmaVISD and see which additional AV scanners it supports ?


    Hi uxbod,

    I should have mentioned I used amavisd to find some of the supported vendors. However, I reached out to some of them and either I never got a response or they wanted to sell me an appliance (ahem...ProofPoint). But I'm not a fan of appliances, especially email ones.

    Those were the two companies that have returned my request with a "yes we have postfix support" thus far. But I actually sent the snippet of code from amavisd.conf to a couple resellers. I would encourage anyone looking for a solution to do that as well. Thanks for pointing that out :-).
    cyberdeath

  8. #8
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    476
    Rep Power
    4

    Default

    Quote Originally Posted by cyberdeath View Post
    Hello everyone,

    I know this is drudging up an old thread; however, I actually answered my own question by writing my own code to accomplish this. I wanted to share it in case others could benefit from it. See below for a simple script that scans the mail store and removes any infected messages (this is a manual process that must be run either through SSH, a cron job, or something similar). I didn't throw in a bunch of variables so if your store is NOT in ~/store/0/ (as zimbra user) or if something doesn't match your particular configuration, then you will need to modify/adjust script as necessary.

    This script will automatically bypass the virus store db (since we know there are viruses there) and any archive accounts assuming they end in .archive (just in case...users shouldn't have access anyway). It will also output the results to stdout (console screen, log file, etc).

    I placed the following code in a file called virusremovestore.sh (give it +x with chmod) and in a particular folder where I keep all my scripts (e.g. you could mkdir cyberdeath in /opt/zimbra and place the file in there). You are free to place it wherever you'd like so long as it is accessible by the zimbra user.

    Code:
    #!/bin/bash
    
    old_IFS=$IFS
    
    echo "Freshening up the anti-virus definitions"
    
    /opt/zimbra/clamav/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.conf
    
    echo "Scanning Mail Store for Viruses"
    
    ~/clamav/bin/clamscan --database ~/data/clamav/db/ --recursive=yes --infected ~/store/0/ | while IFS=/ read root opt zimbra store messagestore storeid msg folder messageid virusname found
    do
      uid=`mysql -NBe "select comment from zimbra.mailbox where id='$storeid'"`
      msgid=`echo $messageid | cut -d'-' -f1`
      if [[ "$uid" == *.archive ]]; then
            echo "Archive: Did not remove message $msgid from $uid"
      elif [[ "$uid" == *virus*quarantine* ]]; then
            echo "Skipping message $msgid in virus quarantine"
      else
            zmmailbox -z -m $uid dm $msgid
            echo "Found and removed infected message $msgid from $uid"
      fi
    done
    
    IFS=$old_IFS
    On a final note, I wanted to mention that I still haven't implemented a new anti-virus solution that will directly integrate with Zimbra. However, I have spoken with a couple A/V vendors who say they are compatible with postfix (Symantec & Kaspersky).

    If you have any questions or comments, please feel free.
    Hello cyberdeath,

    A nice script, it just works!

    Thanks.

    ccelis

Similar Threads

  1. Replies: 7
    Last Post: 02-19-2010, 06:34 AM
  2. Outgoing Virus Scanning
    By neemers in forum Installation
    Replies: 4
    Last Post: 10-28-2009, 08:45 AM
  3. Manually add address to a GAL?
    By Meowmixjinx in forum Users
    Replies: 1
    Last Post: 01-30-2008, 02:00 PM
  4. Manually importing LDAP entries..
    By tamilnandhu in forum Installation
    Replies: 1
    Last Post: 01-06-2008, 10:41 PM
  5. Help needed to setup up third party Antivirus scanning
    By curious_guy in forum Installation
    Replies: 1
    Last Post: 10-01-2006, 07:15 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •