Open gregh3269 opened 3 years ago
On 9/18/21 2:11 AM, gregh3269 wrote:
It seems to want %org-name% from /etc/MailScanner/MailScanner.conf rather than our /etc/MailScanner/conf.d/my.conf
ie it should be from /etc/MailScanner/conf.d/my.conf %org-name% = mysitename Please read the "mysitename-Attachment-Warning.txt" attachment(s) for more information
From MailScanner.conf:
READ THIS FIRST!
Instead of making changes directly to this file, you should put your
configuration options in your own file in /etc/MailScanner/conf.d/
Example file: /etc/MailScanner/conf.d/my_settings.conf
However, if you are changing some variable definition which is used
in other definitions in this file such as %org-name% in the first
example below, you must also either change it in this file or copy
all the definitions that use that variable into your own file.
-- Mark Sapiro @.***> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Ok, sorry was reading my install instruction rather than the official. I can see I have updated the /etc/MailScanner/MailScanner.conf on the server version and not my instructions.
...Was hoping this would fix the MailScanner --lint not showing the virus scanner stuff, even though clamav seems to work correctly.
v5.4.1 MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed:
Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting
If any of your virus scanners () ....
v5.0.7 on centos 7
MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav
Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting 1.message: Win.Test.EICAR_HDB-1 FOUND
/var/spool/MailScanner/incoming/6372/1/eicar.com: Win.Test.EICAR_HDB-1 FOUND
Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses
Virus Scanner test reports: ClamAV said "eicar.com contains Win.Test.EICAR_HDB-1"
If any of your virus scanners (clamav) ...
Is there a way to debug this?
Cheers Greg
@gregh3269 clamav was deprecated and eventually removed, use clamd instead.
Virus Scanners = clamd
seems to make it work, but now we must run the 1gb memory daemon job. On my dev box this seems a waste of resources, I seem to remember the clamav-wrapper stuff runs when needed? Is it possible to still use this logic now?
virus.scanners.conf clamav /usr/lib/MailScanner/wrapper/clamav-wrapper /usr
Cheers Greg
The size of the clamav daemon depends on the size of the collection of signatures (/var/lib/clamav/*). That said, the trade off between clamd and clamav is with clamd, the process is persistent and the signatures are loaded once when it starts while with clamav there is a new process which has to load all the signatures each time it is invoked.
It seems to me that creating a new clamav process for each message is a greater waste of resources than running the daemon.
On a 4gb box/instance the 1.2gb clamd job is not really an option, now only a luxury.
Virus Scanners = none
Cheers Greg
Checking the source, the clamav stuff has only been commented out (v5.4.1), reinstating these lines seems to make it work again. Changing SweepViruses.pm and ConfigDefs.pl.
MailScanner --lint .. Checking version numbers... Version number in MailScanner.conf (5.4.1) is correct. .. MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav
Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting 1.message: Win.Test.EICAR_HDB-1 FOUND
/var/spool/MailScanner/incoming/17143/1/eicar.com: Win.Test.EICAR_HDB-1 FOUND
Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses
Virus Scanner test reports: ClamAV said "eicar.com contains Win.Test.EICAR_HDB-1"
If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function MailWatchLogging
I can live with this and push it down the road. If we get more than a couple of emails a week, we can revert to clamd. Please reconsider its depreciation.
#######
One other thing I have noticed (before clamav change) is if I repeatedly send eicarcom2.tar.xz sometimes the body of the {Virus?} email is empty. It does it on every other email.
ie this is missing: Warning: This message has had one or more attachments removed Warning: (eicarcom2.tar.xz, the entire message). Warning: Please read the "mycompany-Attachment-Warning.txt" attachment(s) for more information.
This is a message from the MailScanner E-Mail Virus Protection Service
The original e-mail attachment "the entire message" was believed to be infected by a virus and has been replaced by this warning message.
If you wish to receive a copy of the infected attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call.
At Wed Sep 22 07:28:34 2021 the virus scanner said: ClamAV: eicarcom2.tar.xz contains Win.Test.EICAR_HDB-1
ClamAV: contains Win.Test.EICAR_HDB-1
Note to Help Desk: Look on The mycompany (mycompany.co.uk) MailScanner in /var/spool/MailScanner/quarantine/20210922 (message D3753C9B07.AEA63).
Postmaster
Cheers Greg
Due to obsolescense of perl-Mail-ClamAV, clamavmodule will remain deprecated and code commented out.
Leaving issue open to investigate attachment warning issue
Hello,
For the installation we use /etc/MailScanner/conf.d directory for the necessary props/overrides.
When a virus is detected MailScanner sends an email "Bad File Name Detected" (eicar.com test case), but the attachment has the wrong naming based on the %org-name% = yoursite from the /etc/MailScanner/MailScanner.conf
Please read the "yoursite-Attachment-Warning.txt" attachment(s) for more information
It seems to want %org-name% from /etc/MailScanner/MailScanner.conf rather than our /etc/MailScanner/conf.d/my.conf
ie it should be from /etc/MailScanner/conf.d/my.conf %org-name% = mysitename Please read the "mysitename-Attachment-Warning.txt" attachment(s) for more information
...I think the email is coming from MailScanner.
Report: MailScanner: Executable DOS/Windows programs are dangerous in email (eicar.com)
System in Rocky 8 (CENTOS)
Installed Packages Name : MailScanner Version : 5.4.1 Release : 2.rhel Architecture : noarch Size : 2.6 M Source : MailScanner-5.4.1-2.rhel.src.rpm
Cheers Greg