ClamAV not filtering incoming mail

Fbarajas

• March 09, 2019 10:42

Hi! Using CPanel 78.0.16 on CloudLinux 7.6, with ClamAV Version: 0.100.2-1.cp1170 How can I scan incoming email for malware? Spamassassin is installed, but it's not blocking virus. Thanks!

• 

  rpvw

  • March 09, 2019 16:29

  grep your exim_mainlog for the word 'virus' You should get multiple lines with content like "Warning: Message has been scanned: no virus or other harmful content was found" If those entries exist, then your mail is being scanned, and you may see additional entries like "rejected after DATA: This message contains a virus or other harmful content (Win.Trojan.VBGeneric-6880554-0)" You can test to see if your exim is trapping viruses by creating a txt file containing the EICAR test string (search for it using your favourite search engine) and attaching it to an email that you send through your server - you should see a result like "This message contains a virus or other harmful content (Eicar-Test-Signature)" and the message should be rejected. Do remember that clam is only as good as its' list of virus signatures, and it often takes a few days to get an update that will detect the latest viruses that other software can detect. If you suspect that have a specific virus or malware file, check it on Configure ClamAV Scanner - Version 78 Documentation - cPanel Documentation to configure your clamav for exim. Hope this helps

  0
• 

  Fbarajas

  • March 09, 2019 17:27

  OK, I'm doing some tests. Do mails from one mail account to another mail account on the same server are scanned for virus? I sent the "eicar" signature from one of my accounts on the server to another account (on another domain on the same server) and it seems it was not scanned: 2019-03-09 11:48:55 1h2g5e-0006QL-Vc <= fbarajas@nuestroweb.com H=(servidor.sistec.com.mx) [127.0.0.1]:37996 P=esmtpa A=dovecot_login:fbarajas@nuestroweb.com S=1608 id=b8cf3b9923e72f762ebfcce869569ccb@nuestroweb.com T="Prueba de virus 2" for fernando@mayasistemas.com 2019-03-09 11:48:55 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1h2g5e-0006QL-Vc 2019-03-09 11:48:55 1h2g5e-0006QL-Vc => fernando R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 UIJnAof8g1xnXAAAtqzIjg Saved" 2019-03-09 11:48:55 1h2g5e-0006QL-Vc Completed
  But other mails are indeed beeng scaned by ClamAV: 2019-03-09 12:21:45 1h2gbJ-0005Bj-Np H=p66.mailgun.us [184.173.105.66]:27559 Warning: Message has been scanned: no virus or other harmful content was found 2019-03-09 12:21:46 1h2gb6-0005AY-Tg H=ccm24.constantcontact.com [208.75.123.132]:41302 Warning: Message has been scanned: no virus or other harmful content was found 2019-03-09 12:22:20 1h2gc0-0005N0-60 H=(affirm.ocadawa2s.icu) [110.34.192.53]:35203 Warning: Message has been scanned: no virus or other harmful content was found
  

  0
• 

  cPanelMichael

  • March 11, 2019 17:55

  Do mails from one mail account to another mail account on the same server are scanned for virus?

  
  Hello @Fbarajas, Try enabling the following option under the Security tab in WHM >> Exim Configuration Manager >> Basic Editor to see if it does what you're looking for: Scan messages for malware from authenticated senders (exiscan). Thank you.

  0
• 

  Fbarajas

  • March 11, 2019 18:02

  It was in the "off" (default) option. I changed it to "on", thanks!

  0
• 

  Fbarajas

  • March 13, 2019 12:27

  Still having problems: I'm still receiving lot's of malware. The strange thing is that some virus are NOT stopped by the antivirus... but when I run clamav on my inbox, it detects them as such: /home/nuestrow/mail/nuestroweb.com/fbarajas/cur/1551891862.M490653P31113.servidor.sistec.com.mx,S=547709,W=555244:2,S: Win.Malware.Lptehw-6879858-0 FOUND /home/nuestrow/mail/nuestroweb.com/fbarajas/cur/1551241130.M673041P30272.servidor.sistec.com.mx,S=575107,W=583020:2,S: Win.Malware.Noon-6887768-0 FOUND /home/nuestrow/mail/nuestroweb.com/fbarajas/cur/1552153591.M117848P22859.servidor.sistec.com.mx,S=3228,W=3322:2,S: Eicar-Test-Signature FOUND
  There's the "eicar-test" I used to test this: It was delivered to my inbox (not stopped by the antivirus), but it is detected if I run clamscan from the command line. What else can I try?

  0
• 

  rpvw

  • March 13, 2019 12:56

  You should probably open a support ticket so they can see what might be causing your issue.

  0
• 

  cPanelMichael

  • March 13, 2019 14:45

  Hello @Fbarajas, The other option to enable under the Security tab in WHM >> Exim Configuration Manager >> Basic Editor is: Scan outgoing messages for malware I tried to send an email from one local email address to another using Roundcube with the support ticket if you'd like us to take a closer look. Thank you.

  0

Please sign in to leave a comment.