Skip to main content

ClamAV email question

equens
Hello, does ClamAV scan all incoming messages by default when ClamAV for cPanel is installed? Thanks! Equens.

Comments

14 comments

Date Votes
  • rpvw
    After installing ClamAV for cPanel, you will probably need to take some further steps for full functionality. Go to WHM >> Service Configuration >> Exim Configuration Manager > Basic Editor > Security .... and enable (switch ON) the following: Scan messages for malware from authenticated senders (exiscan). If you have the ClamAVconnector plugin installed, messages from authenticated senders are not scanned until you enable this option. It is recommended that you scan mail for authenticated senders when possible to reduce the risk of viruses spreading inside your network. Scan outgoing messages for malware If you have the ClamAVconnector plugin installed, enabling this option will reject mail bound for non-local domains that test positive for malware. Full information at
    0
  • equens
    Scan messages for malware from authenticated senders (exiscan). If you have the ClamAVconnector plugin installed, messages from authenticated senders are not scanned until you enable this option. It is recommended that you scan mail for authenticated senders when possible to reduce the risk of viruses spreading inside your network.

    I was mis confused about this, I thought that authenticated senders was also outgoing messages. Thanks a lot for your help. Equens.
    0
  • rpvw
    I found the cPanel documentation to be unhelpfully vague on the question of whether ClamAV for cPanel scans incoming mail out-of-the-box following installation. The instructions all allude to the prerequisite of performing additional steps to integrate ClamAV Scanner with Exim, but then talk about authenticated users, which I also interpreted as being only relevant to outgoing senders. As a result of my doubt, I actually had to go back and edit my post to say "further steps for full functionality" and I am still very uncertain as to what the unequivocable facts may be. Whilst I have to commend cPanel for the huge amount of work and effort they put into the documentation, it is woefully apparent that the docs are written by people with a profound knowledge of the subject, but who perhaps neglect to revise and read the finished work from the perspective and lack of knowledge of the end user. In this case, and assuming it is a true statement, I don't see why a simple directive like ..... Important If you want to use the ClamAV Scanner to scan outgoing mail as well, you must perform additional steps if you wish to integrate ClamAV Scanner with Exim.
    ..... would disambiguate the instructions. As a final thought to document writers; remember, it's not what you know that is important, it's what the reader doesn't know, which is presumably why they are reading your docs in the first place !! o_O
    0
  • rpvw
    As a quick update to the whole ClamAV subject - I stumbled on a new test I hadn't seen before at DNS tools | Manage Monitor Analyze | DNSstuff After resolving the MX test for an email address (that exists on your server) you should see an option to run the Anti-Virus Filtering Test. This sends a number of test emails to the address you specified. (Make sure you have disabled greylisting for the email domain you are using for the duration of the test) These emails contain the EICAR Anti-Virus Test Signature in a variety of containers such as an .EXE file, a .BIN file, and a zipped .EXE file. The results I obtained were as follows: The response by your mail server to the Anti-Virus Test is below: .COM Attachment -- 550 This message contains a virus or other harmful content .BAT Attachment -- 550 This message contains a virus or other harmful content GZipped .EXE -- 550 This message contains a virus or other harmful content .BIN Attachment -- 550 This message contains a virus or other harmful content .EXE Attachment -- 550 This message contains a virus or other harmful content Zipped .EXE -- 550 This message contains a virus or other harmful content
    ....and all of the emails were rejected by Exim as soon as they were scanned. So what does this tell us ? Well it could demonstrate that ClamAV is only good for detecting EICAR Anti-Virus Test Signatures ! But after examining the exim logs for the string "This message contains a virus or other harmful content" I was gratified to find that it does indeed find and reject a wide variety of signature based exploits as well as the examples listed above. As usual, one needs to be mindful of the fact that this system is a signature based solution, so don't be surprised if you go back and run a scan on a domain email folder, and find a whole lot of infected files that slipped through before a signature was written and subsequently published. Many server admins will opine that all anti-virus should be done on the end user device and not on a server. Whilst a I cannot agree more that the end user device absolutely needs it's own anti-virus solution, I do wonder if the abnegation of a server side solution has more to do with under-powered (or over exploited) servers than with any true conviction.
    0
  • cPanelMichael
    Hello, Regarding the following document: Configure ClamAV Scanner - Version 68 Documentation - cPanel Documentation Could you elaborate a little more on how you'd like to see it improved? It does provide a separate section noting that you must enable it separately for Exim: You must perform these additional steps if you wish to integrate ClamAV Scanner with Exim.
    This is required to enable virus scanning for both incoming and outgoing email. Thank you.
    0
  • rpvw
    Hi Michael, thank you for your input. My confusion arose (as did equens it seems) by the instuction Scan messages for malware from authenticated senders As a result of the statement I made in my post above being incorrect, since you have confirmed that no automated anti-virus scanning will be performed on neither incoming nor outgoing mail without first completing the additional steps as detailed below; I should like to suggest that the lines that need disambiguation are:
      ]
    • Navigate to the Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager >> Basic Editor >> Security).
    • For the Scan messages for malware from authenticated senders (exiscan) option, select the On setting.
    • For the Scan outgoing messages for malware option, select the On setting.
    • Click Save.
    My feeble mind keeps telling me that item 2. about authenticated senders is about my users connecting to my exim mail server using authenticated SMTP, and sending mail (which is outgoing mail in my book), and then item 3. tells me about scanning outgoing mail.........o_O Nowhere does it explicitly mention incoming mail and the av scanning thereof. I probably need more Whiskey !! In the grand scheme of things, you probably have much better things to do than reading my ramblings, but thank you for showing an interest.
    0
  • cPanelMichael
    Hello, Thanks for the clarification. I did some testing and reviewed the > Exim Configuration Manager >> Basic Editor" that are relevant to virus scanning for outgoing email: A. Scan messages for malware from authenticated senders (exiscan). This option relates to outgoing email only. It controls whether you want to scan messages sent from email users that authenticate via SMTP authentication before sending. B. Scan outgoing messages for malware This option relates to outgoing email only. Per it's description, if you have the ClamAVconnector plugin installed, enabling this option will reject mail bound for non-local domains that test positive for malware. I've opened a case with our Documentation team (DOC-9904) to request clarification of how this works on the following document:
    0
  • EneTar
    . There are two additional options available under the "Security" tab in "WHM >> Exim Configuration Manager >> Basic Editor" that are relevant to virus scanning for outgoing email: A. Scan messages for malware from authenticated senders (exiscan). This option relates to outgoing email only. It controls whether you want to scan messages sent from email users that authenticate via SMTP authentication before sending. B. Scan outgoing messages for malware This option relates to outgoing email only. Per it's description, if you have the ClamAVconnector plugin installed, enabling this option will reject mail bound for non-local domains that test positive for malware.

    Are those indeed only for the outgoing messages?
    I've opened a case with our Documentation team (DOC-9904) to request clarification of how this works on the following document:

    The documentation should be updated with the outcome.
    0
  • cPanelMichael
    Are those indeed only for the outgoing messages?

    Right, those options are for users that are authenticating to send via SMTP on the cPanel server.
    The documentation should be updated with the outcome.

    Internal case DOC-9904 is still open and under review at this time. I'll update this thread again once any changes are published to the document. Thank you.
    0
  • cPanelMichael
    Hello, The ClamAV document is now updated to reflect the information reported in this thread: Configure ClamAV Scanner - Version 70 Documentation - cPanel Documentation Thank you.
    0
  • serg499
    So, does ClamAV scans incoming emails now? Looks like by default it doesn't and I can't find how to enable this feature...
    0
  • cPRex Jurassic Moderator
    @serg499 - yes it does. There are details on that in the yellow box here:
    0
  • serg499
    I see. Thank you! I've probably need to open a ticket in this case, because on my system it doesn't.
    @serg499 - yes it does. There are details on that in the yellow box here:
    0
  • cPRex Jurassic Moderator
    If you have the tool installed and it doesn't seem to be working properly, feel free to open a ticket with our team so we can check that out!
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post