ClamAV via Amavis and logs?

Mon May 23 06:55:36 CEST 2016

Sorry for jumping late in the wagon, but it had been a long week-end.

> I have amavisd running clamav, but nothing from clamav appears in any
> logs.

In syslog I see:

May 23 08:58:38 mail amavis[10877]: (10877-13) run_av (ClamAV-clamd):
/var/amavis/tmp/amavis-20160523T065350-10877-3d9eFTpE/parts INFECTED:
SecuriteInfo.com.Spam-661.UNOFFICIAL

May 23 08:58:38 mail amavis[10877]: (10877-13) Blocked INFECTED
(SecuriteInfo.com.Spam-661.UNOFFICIAL) {DiscardedInbound,Quarantined},
[207.8.97.163]:57506 [207.8.97.163]
<Bounce.5B01D8.3FA8A4B7 at pmta403.dedicated.bmsend.com> ->
<someone>, quarantine: virus/ZYPWG9Ii7OD4, Queue-ID: 9C9ABD7882,
Message-ID: <3rChXV55n1z3G8Qy at pmta401.dedicated.bmsend.com>, mail_id:
ZYPWG9Ii7OD4, Hits: -, size: 45913,
dkim_sd=bmdeda:pmta403.dedicated.bmsend.com, 1374 ms

May 23 08:58:38 mail postfix/smtp[12834]: 9C9ABD7882:
to=<someone>, relay=localhost[127.0.0.1]:10024, delay=2.5,
delays=1.1/0.05/0.02/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok,
discarded, id=10877-13 - INFECTED: SecuriteInfo.com.Spam-661.UNOFFICIAL)

3 log messages for one single piece of email... It may come to the way
you interface ClaAV in amavis, and whether you collect the data returned
by ClamAV or not.

What i have is:

['ClamAV-clamd',
  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
  qr/\bOK$/m, qr/\bFOUND$/m,
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

where the last line is (from the doc):

#  6. a regexp (to be matched against scanner output), returning a list
#     of virus names found, or a sub ref, returning such a list when given
#     scanner output as argument;

This call from amavis to ClamAv is the stock one, nothing fancy that I'd
have modified myself.

Olivier

>
> The only thing I do see is lines like this:
>
> May 21 13:57:29 mail amavis[89288]: (89288-01) Passed SPAM {RelayedTaggedInbound,RelayedOpenRelay,Quarantined}, [127.0.0.1] [96.84.245.98] <eFlyer at eflyermarketing.com> -> <*munged*@covisp.net>,<bcc*munged*>, quarantine: spam-HQ5gUZA4rXw5.gz, Message-ID: <20160521135753.53CC3BF.11E6B08 at eflyermarketing.com>, mail_id: HQ5gUZA4rXw5, Hits: 12.244, size: 7392, queued_as: 3rBwZK26fmzpL6q/3rBwZK2BmyzpLTW, 4180 ms
>
> And an ever-expanding archive of quarantined emails in /var/virusemails/
>
> Is there anyway to enable some more logging? Should I be doing anything with the quarantine other than hanging on to the messages for a while in case something is an FP?

-- 