Page 1 of 4 123 ... LastLast
Results 1 to 10 of 34

Thread: ClamAV not identifying viruses

  1. #1
    Join Date
    Dec 2009
    Posts
    46
    Rep Power
    6

    Default ClamAV not identifying viruses

    Hm, my Antivirus don't finding any viruse.
    I send through zimbra test email with file eicar.zip and zimbra do not block it.
    When I try to send it outbound over my frontend relay (exim+clamav) - my message is blocked by ClamAV.

    said: 550
    ClamAV found a virus: Eicar-Test-Signature (in reply to end of DATA
    command)

    zmprov gs `zmhostname` zimbraServiceEnabled
    # *****
    zimbraServiceEnabled: antivirus
    zimbraServiceEnabled: logger
    zimbraServiceEnabled: mailbox
    zimbraServiceEnabled: memcached
    zimbraServiceEnabled: mta
    zimbraServiceEnabled: stats
    zimbraServiceEnabled: snmp
    zimbraServiceEnabled: ldap
    zimbraServiceEnabled: spell

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Please check /var/log/zimbra.log for any error messages.

  3. #3
    Join Date
    Dec 2009
    Posts
    46
    Rep Power
    6

    Default

    Jan 15 10:17:07 zimbra postfix/error[23191]: 007526C81A8: to=<user@domain.tld>, relay=none, delay=59231, delays=59230/0.17/0/0.09, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)

    But this is error dated when my Antivirus was disabled as service. After then I enabled It and sent own test with ecair.

    So, what I must check now?

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Code:
    su - zimbra
    zmcontrol status
    Would you also send a eicar test again and post what happens from /var/log/zimbra.log.

  5. #5
    Join Date
    Dec 2009
    Posts
    46
    Rep Power
    6

    Default

    After running zmclamdctl start
    antivirus Running
    ldap Running
    logger Running
    mailbox Running
    memcached Running
    mta Running
    snmp Running
    spell Running
    stats Running

    I forward my virus test and received eicar file as is.

    In log I have not saw any error about connection with amavis, but look at info about starting ClamAV:

    Jan 15 11:57:49 zimbra clamd[21524]: clamd daemon 0.95.3-broken-compiler (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
    Jan 15 11:57:49 zimbra clamd[21524]: Log file size limited to 20971520 bytes.
    Jan 15 11:57:49 zimbra clamd[21524]: Reading databases from /opt/zimbra/data/clamav/db
    Jan 15 11:57:49 zimbra clamd[21524]: Not loading PUA signatures.
    Jan 15 11:57:51 zimbra clamd[21524]: Loaded 662464 signatures.
    Jan 15 11:57:52 zimbra clamd[21524]: TCP: Bound to port 3310
    Jan 15 11:57:52 zimbra clamd[21524]: TCP: Setting connection queue length to 15
    Jan 15 11:57:52 zimbra clamd[21770]: Limits: Global size limit set to 15360000 bytes.
    Jan 15 11:57:52 zimbra clamd[21770]: Limits: File size limit set to 15360000 bytes.
    Jan 15 11:57:52 zimbra clamd[21770]: Limits: Recursion level limit set to 16.
    Jan 15 11:57:52 zimbra clamd[21770]: Limits: Files limit set to 10000.
    Jan 15 11:57:52 zimbra clamd[21770]: Archive support enabled.
    Jan 15 11:57:52 zimbra clamd[21770]: Archive: Blocking encrypted archives.
    Jan 15 11:57:52 zimbra clamd[21770]: Algorithmic detection enabled.
    Jan 15 11:57:52 zimbra clamd[21770]: Portable Executable support enabled.
    Jan 15 11:57:52 zimbra clamd[21770]: ELF support enabled.
    Jan 15 11:57:52 zimbra clamd[21770]: Mail files support enabled.
    Jan 15 11:57:52 zimbra clamd[21770]: OLE2 support enabled.
    Jan 15 11:57:52 zimbra clamd[21770]: PDF support enabled.
    Jan 15 11:57:52 zimbra clamd[21770]: HTML support enabled.
    Jan 15 11:57:52 zimbra clamd[21770]: Self checking every 600 seconds.
    ====

    also my zimbra.log have more error like this (but I think this is only web interface warnings):

    Jan 15 12:04:25 zimbra saslauthd[6478]: zmpost: url='https://zimbrahostFQDN:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="5832"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_40affb60a64 195d79e8a5e9c6d70e8433c9aa072_69643d33363a34316261 373365392d333665382d346662632d626337352d3866373433 386439303366363b6578703d31333a31323633373232363635 3135353b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Last edited by blessendor; 01-15-2010 at 03:17 AM.

  6. #6
    Join Date
    Dec 2009
    Posts
    46
    Rep Power
    6

    Default

    New logged errors detected:

    Jan 15 10:17:07 zimbra postfix/error[23191]: DED576C800B: to=<some-address>, relay=none, delay=59292, delays=59292/0.11/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
    Jan 15 10:17:07 zimbra postfix/error[23191]: DED576C800B: to=<some-address>, relay=none, delay=59292, delays=59292/0.11/0/0.08, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
    Jan 15 10:17:07 zimbra postfix/error[23194]: D25B46C81CB: to=<some-address>, relay=none, delay=59181, delays=59181/0.16/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
    J

    > zmcontrol status

    antivirus Running
    ldap Running
    logger Running
    mailbox Running
    memcached Running
    mta Running
    snmp Running
    spell Running
    stats Running

  7. #7
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Please post the SMTP transaction when you sent through the eicar test file. Need to see all the information from zimbra.log for when the email comes in, passes through amavis, and then is injected back into Postfix.

  8. #8
    Join Date
    Dec 2009
    Posts
    46
    Rep Power
    6

    Default

    Wow, I trying now to send a new test and it was successful!

    VIRUS ALERT

    Our content checker found
    virus: Eicar-Test-Signature

    in an email to you from probably faked sender:
    ?@[192.168.10.61]
    claiming to be: <my-address>

    Content type: Virus
    Our internal reference code for your message is 27965-05/rTYr0gHSB6pY

    First upstream SMTP client IP address: [192.168.10.61]
    FQDN-host-zimbra
    According to a 'Received:' trace, the message apparently originated at:
    [192.168.10.61], FQDN FQDN
    [192.168.10.61]

    Return-Path: <my-address>
    From: Name <my-address>
    Message-ID:
    <1842583602.1740.1263552014343.JavaMail.root@fqd n>
    X-Mailer: Zimbra 6.0.4_GA_2038.SLES11_64 (ZimbraWebClient - FF3.0
    (Linux)/6.0.4_GA_2038.SLES11_64)
    Subject: virus debuggin
    The message has been quarantined as: virus-rTYr0gHSB6pY

    Please contact your system administrator for details.

  9. #9
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Excellent .. I presume you are not getting messages about deferred emails now ?

  10. #10
    Join Date
    Dec 2009
    Posts
    46
    Rep Power
    6

    Default

    New test trace with zipped twice eicar:

    Jan 15 12:49:02 zimbra amavis[27962]: (27962-07) Checking: Nvh0MmKNmNyd MYNETS [192.168.10.61] <groupname@FQDN> -> <groupuser1@FQDN>,<groupuser2@FQDN>,<groupuser3@FQ DN>
    Jan 15 12:49:02 zimbra amavis[27962]: (27962-07) local delivery: <> -> virus-quarantine, mbx=/opt/zimbra/data/amavisd/quarantine/virus-Nvh0MmKNmNyd
    Jan 15 12:49:02 zimbra postfix/cleanup[21234]: 692A76C819F: message-id=<VANvh0MmKNmNyd@FQDN>
    Jan 15 12:49:02 zimbra postfix/cleanup[23601]: 7A8386C81A0: message-id=<VRNvh0MmKNmNyd@FQDN>
    Jan 15 12:49:02 zimbra postfix/cleanup[21234]: 8F6CB6C81A1: message-id=<VRNvh0MmKNmNyd@FQDN>
    Jan 15 12:49:02 zimbra postfix/cleanup[23601]: A9E2F6C819F: message-id=<VRNvh0MmKNmNyd@FQDN>
    Jan 15 12:49:02 zimbra amavis[27962]: (27962-07) Blocked INFECTED (Eicar-Test-Signature), MYNETS LOCAL [192.168.10.61] [192.168.10.61] <groupname@FQDN> -> <groupuser1@FQDN>,<groupuser2@FQDN>,<groupuser3@FQ DN>, quarantine: virus-Nvh0MmKNmNyd, Message-ID: <873499934.1792.1263552541757.JavaMail.root@FQDN >, mail_id: Nvh0MmKNmNyd, Hits: -, size: 2522, 761 ms


    No deferred, all is ok!

    Hm, but why user, which sent virus, don't receive virus alert too?

Similar Threads

  1. Clamav
    By physikal in forum Administrators
    Replies: 10
    Last Post: 05-18-2009, 10:48 AM
  2. [SOLVED] Howto: Update ClamAV
    By unilogic in forum Administrators
    Replies: 9
    Last Post: 12-12-2007, 05:28 AM
  3. [SOLVED] Clamav expiration notification
    By artimus in forum Administrators
    Replies: 8
    Last Post: 11-19-2007, 10:34 AM
  4. help for clamav outdated
    By newvision in forum Administrators
    Replies: 3
    Last Post: 02-16-2007, 09:14 PM
  5. Replies: 2
    Last Post: 03-15-2006, 09:37 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •