search

MailScanner / v5

MailScanner v5
GNU General Public License v2.0
183 stars 58 forks source link

Please read the "yoursite-Attachment-Warning.txt" attachment(s) for more information #551

Open gregh3269 opened 3 years ago

gregh3269 commented 3 years ago

Hello,

For the installation we use /etc/MailScanner/conf.d directory for the necessary props/overrides.

When a virus is detected MailScanner sends an email "Bad File Name Detected" (eicar.com test case), but the attachment has the wrong naming based on the %org-name% = yoursite from the /etc/MailScanner/MailScanner.conf

Please read the "yoursite-Attachment-Warning.txt" attachment(s) for more information

It seems to want %org-name% from /etc/MailScanner/MailScanner.conf rather than our /etc/MailScanner/conf.d/my.conf

ie it should be from /etc/MailScanner/conf.d/my.conf %org-name% = mysitename Please read the "mysitename-Attachment-Warning.txt" attachment(s) for more information

...I think the email is coming from MailScanner.

Report: MailScanner: Executable DOS/Windows programs are dangerous in email (eicar.com)

System in Rocky 8 (CENTOS)

Installed Packages Name : MailScanner Version : 5.4.1 Release : 2.rhel Architecture : noarch Size : 2.6 M Source : MailScanner-5.4.1-2.rhel.src.rpm

Cheers Greg

msapiro commented 3 years ago

On 9/18/21 2:11 AM, gregh3269 wrote:

It seems to want %org-name% from /etc/MailScanner/MailScanner.conf rather than our /etc/MailScanner/conf.d/my.conf

ie it should be from /etc/MailScanner/conf.d/my.conf %org-name% = mysitename Please read the "mysitename-Attachment-Warning.txt" attachment(s) for more information

From MailScanner.conf:

READ THIS FIRST!

Instead of making changes directly to this file, you should put your

configuration options in your own file in /etc/MailScanner/conf.d/

Example file: /etc/MailScanner/conf.d/my_settings.conf

However, if you are changing some variable definition which is used

in other definitions in this file such as %org-name% in the first

example below, you must also either change it in this file or copy

all the definitions that use that variable into your own file.

-- Mark Sapiro @.***> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

gregh3269 commented 3 years ago

Ok, sorry was reading my install instruction rather than the official. I can see I have updated the /etc/MailScanner/MailScanner.conf on the server version and not my instructions.

...Was hoping this would fix the MailScanner --lint not showing the virus scanner stuff, even though clamav seems to work correctly.

v5.4.1 MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed:

===========================================================================

Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting

===========================================================================

If any of your virus scanners () ....

v5.0.7 on centos 7

MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav

===========================================================================

Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting 1.message: Win.Test.EICAR_HDB-1 FOUND

/var/spool/MailScanner/incoming/6372/1/eicar.com: Win.Test.EICAR_HDB-1 FOUND

Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses

===========================================================================

Virus Scanner test reports: ClamAV said "eicar.com contains Win.Test.EICAR_HDB-1"

If any of your virus scanners (clamav) ...

Is there a way to debug this?

Cheers Greg

shawniverson commented 3 years ago

@gregh3269 clamav was deprecated and eventually removed, use clamd instead.

gregh3269 commented 3 years ago

Virus Scanners = clamd

seems to make it work, but now we must run the 1gb memory daemon job. On my dev box this seems a waste of resources, I seem to remember the clamav-wrapper stuff runs when needed? Is it possible to still use this logic now?

virus.scanners.conf clamav /usr/lib/MailScanner/wrapper/clamav-wrapper /usr

Cheers Greg

msapiro commented 3 years ago

The size of the clamav daemon depends on the size of the collection of signatures (/var/lib/clamav/*). That said, the trade off between clamd and clamav is with clamd, the process is persistent and the signatures are loaded once when it starts while with clamav there is a new process which has to load all the signatures each time it is invoked.

It seems to me that creating a new clamav process for each message is a greater waste of resources than running the daemon.

gregh3269 commented 3 years ago

On a 4gb box/instance the 1.2gb clamd job is not really an option, now only a luxury.

Virus Scanners = none

Cheers Greg

gregh3269 commented 3 years ago

Checking the source, the clamav stuff has only been commented out (v5.4.1), reinstating these lines seems to make it work again. Changing SweepViruses.pm and ConfigDefs.pl.

MailScanner --lint .. Checking version numbers... Version number in MailScanner.conf (5.4.1) is correct. .. MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav

===========================================================================

Filename Checks: Windows/DOS Executable (1 eicar.com) Other Checks: Found 1 problems Virus and Content Scanning: Starting 1.message: Win.Test.EICAR_HDB-1 FOUND

/var/spool/MailScanner/incoming/17143/1/eicar.com: Win.Test.EICAR_HDB-1 FOUND

Virus Scanning: ClamAV found 2 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 2 viruses

===========================================================================

Virus Scanner test reports: ClamAV said "eicar.com contains Win.Test.EICAR_HDB-1"

If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function MailWatchLogging

I can live with this and push it down the road. If we get more than a couple of emails a week, we can revert to clamd. Please reconsider its depreciation.

#######

One other thing I have noticed (before clamav change) is if I repeatedly send eicarcom2.tar.xz sometimes the body of the {Virus?} email is empty. It does it on every other email.

ie this is missing: Warning: This message has had one or more attachments removed Warning: (eicarcom2.tar.xz, the entire message). Warning: Please read the "mycompany-Attachment-Warning.txt" attachment(s) for more information.

This is a message from the MailScanner E-Mail Virus Protection Service

----------------------------------------------------------------------

The original e-mail attachment "the entire message" was believed to be infected by a virus and has been replaced by this warning message.

If you wish to receive a copy of the infected attachment, please e-mail helpdesk and include the whole of this message in your request. Alternatively, you can call them, with the contents of this message to hand when you call.

At Wed Sep 22 07:28:34 2021 the virus scanner said: ClamAV: eicarcom2.tar.xz contains Win.Test.EICAR_HDB-1

ClamAV: contains Win.Test.EICAR_HDB-1

Note to Help Desk: Look on The mycompany (mycompany.co.uk) MailScanner in /var/spool/MailScanner/quarantine/20210922 (message D3753C9B07.AEA63).

--

Postmaster

Cheers Greg

shawniverson commented 2 years ago

Due to obsolescense of perl-Mail-ClamAV, clamavmodule will remain deprecated and code commented out.

shawniverson commented 2 years ago

Leaving issue open to investigate attachment warning issue