[SOLVED] Multiple infections not passed to amavis
Levente Birta
blevi.linux at gmail.com
Thu Feb 2 10:49:30 CET 2017
On 02/02/2017 11:17, Levente Birta wrote:
> Hi
>
> I use amavisd 2.10 and clamav 0.99 with sanesecurity.
>
> in the amavisd.conf:
>
> @virus_name_to_spam_score_maps =
> (new_RE( # the order matters!
> [ qr`^Structured\.(SSN|CreditCardNumber)\b` => 0.1 ],
> [ qr`^(Heuristics\.)?Phishing\.` => 0.1 ],
> [ qr`’^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)` => 0.1 ],
> [ qr`^Sanesecurity\.(Malware|Badmacro|Foxhole|Rogue|Trojan)\.`
> => undef ],# keep as infected
> [ qr`^Sanesecurity\.` => 0.1 ],
> [ qr`^Sanesecurity.TestSig_` => 0 ],
> [ qr`^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.` => 0 ],
> [ qr`^BofhlandMW\.` => undef
> ],# keep as infected
> [ qr`^Bofhland\.Malware\.` => undef
> ],# keep as infected
> [ qr`^Bofhland\.` => 0.1 ],
> [ qr`^winnow.malware\.` => undef
> ],# keep as infected
> [ qr`^winnow\_` => 0.1 ],
> [ qr`^PhishTank\.Phishing\.` => 0.1 ],
> [ qr`^Porcupine\.Malware\.` => undef
> ],# keep as infected
> [ qr`^Porcupine\.` => 0.1 ],
> [ qr`^Email\.Spammail\b` => 0.1 ],
> [ qr`^Safebrowsing\.` => 0.1 ],
> [ qr`^winnow\.(phish|spam)\.` => 0.1 ],
> [ qr`^ScamNailer\.` => 0.1 ],
> [ qr`SecuriteInfo\.com\.Spam\-720` => 1.5 ],
> ));
>
> If the mail is detected as infected by clamav with one single infection
> the above map is working.
> Here is the log:
> Feb 2 10:00:51 wsrv clamd[18232]: Received POLLIN|POLLHUP on fd 4
> Feb 2 10:00:51 wsrv clamd[18232]: Got new connection, FD 9
> Feb 2 10:00:51 wsrv clamd[18232]: Received POLLIN|POLLHUP on fd 5
> Feb 2 10:00:51 wsrv clamd[18232]: fds_poll_recv: timeout after 5 seconds
> Feb 2 10:00:51 wsrv clamd[18232]: Received POLLIN|POLLHUP on fd 9
> Feb 2 10:00:51 wsrv clamd[18232]: got command CONTSCAN
> /var/spool/amavisd/tmp/amavis-20170202T100051-18468-zTSdo6K6/parts (75,
> 7), argument:
> /var/spool/amavisd/tmp/amavis-20170202T100051-18468-zTSdo6K6/parts
> Feb 2 10:00:51 wsrv clamd[18232]: mode -> MODE_WAITREPLY
> Feb 2 10:00:51 wsrv clamd[18232]: Breaking command loop, mode is no
> longer MODE_COMMAND
> Feb 2 10:00:51 wsrv clamd[18232]: Consumed entire command
> Feb 2 10:00:51 wsrv clamd[18232]: Number of file descriptors polled: 1 fds
> Feb 2 10:00:51 wsrv clamd[18232]: fds_poll_recv: timeout after 600 seconds
> Feb 2 10:00:51 wsrv clamd[18232]: THRMGR: queue (single) crossed low
> threshold -> signaling
> Feb 2 10:00:51 wsrv clamd[18232]: THRMGR: queue (bulk) crossed low
> threshold -> signaling
> Feb 2 10:00:51 wsrv clamd[18232]:
> /var/spool/amavisd/tmp/amavis-20170202T100051-18468-zTSdo6K6/parts/p004:
> SecuriteInfo.com.Spam-720.UNOFFICIAL(5906f52c03b1982c4aed88c3778801d4:36917)
> FOUND
> Feb 2 10:00:51 wsrv clamd[18232]:
> /var/spool/amavisd/tmp/amavis-20170202T100051-18468-zTSdo6K6/parts/p001: OK
> Feb 2 10:00:51 wsrv clamd[18232]: Finished scanthread
> Feb 2 10:00:51 wsrv clamd[18232]: Scanthread: connection shut down (FD 9)
> Feb 2 10:00:51 wsrv clamd[18232]: THRMGR: queue (single) crossed low
> threshold -> signaling
> Feb 2 10:00:51 wsrv clamd[18232]: THRMGR: queue (bulk) crossed low
> threshold -> signaling
> Feb 2 10:00:51 wsrv amavis/pickup[18468]: (18468-01) run_av
> (ClamAV-clamd):
> /var/spool/amavisd/tmp/amavis-20170202T100051-18468-zTSdo6K6/parts
> INFECTED: SecuriteInfo.com.Spam-720.UNOFFICIAL
> Feb 2 10:00:51 wsrv amavis/pickup[18468]: (18468-01) Turning AV
> infection into a spam report: score=1.5,
> AV:SecuriteInfo.com.Spam-720.UNOFFICIAL=1.5
>
>
> But I have one mail with multiple infection like this:
>
> Virus scanner output:
> p004: Sanesecurity.Blurl.b4e48a.UNOFFICIAL FOUND
> p002: Sanesecurity.Blurl.fcc3c3.UNOFFICIAL FOUND
>
> and the log
>
> Feb 2 10:01:35 wsrv clamd[18232]: Received POLLIN|POLLHUP on fd 4
> Feb 2 10:01:35 wsrv clamd[18232]: Got new connection, FD 9
> Feb 2 10:01:35 wsrv clamd[18232]: Received POLLIN|POLLHUP on fd 5
> Feb 2 10:01:35 wsrv clamd[18232]: fds_poll_recv: timeout after 5 seconds
> Feb 2 10:01:35 wsrv clamd[18232]: Received POLLIN|POLLHUP on fd 9
> Feb 2 10:01:35 wsrv clamd[18232]: got command CONTSCAN
> /var/spool/amavisd/tmp/amavis-20170202T100135-18469-4Hmcgoej/parts (75,
> 7), argument:
> /var/spool/amavisd/tmp/amavis-20170202T100135-18469-4Hmcgoej/parts
> Feb 2 10:01:35 wsrv clamd[18232]: mode -> MODE_WAITREPLY
> Feb 2 10:01:35 wsrv clamd[18232]: Breaking command loop, mode is no
> longer MODE_COMMAND
> Feb 2 10:01:35 wsrv clamd[18232]: Consumed entire command
> Feb 2 10:01:35 wsrv clamd[18232]: Number of file descriptors polled: 1 fds
> Feb 2 10:01:35 wsrv clamd[18232]: fds_poll_recv: timeout after 600 seconds
> Feb 2 10:01:35 wsrv clamd[18232]: THRMGR: queue (single) crossed low
> threshold -> signaling
> Feb 2 10:01:35 wsrv clamd[18232]: THRMGR: queue (bulk) crossed low
> threshold -> signaling
> Feb 2 10:01:35 wsrv clamd[18232]:
> /var/spool/amavisd/tmp/amavis-20170202T100135-18469-4Hmcgoej/parts/p004:
> Sanesecurity.Blurl.b4e48a.UNOFFICIAL(f7555a23bbf9551c86212d6acd54ef8f:67128)
> FOUND
> Feb 2 10:01:35 wsrv clamd[18232]:
> /var/spool/amavisd/tmp/amavis-20170202T100135-18469-4Hmcgoej/parts/p001: OK
> Feb 2 10:01:35 wsrv clamd[18232]:
> /var/spool/amavisd/tmp/amavis-20170202T100135-18469-4Hmcgoej/parts/p002:
> Sanesecurity.Blurl.fcc3c3.UNOFFICIAL(644a611c09aa304f053d15a0cc8c3460:41020)
> FOUND
> Feb 2 10:01:35 wsrv clamd[18232]: Finished scanthread
> Feb 2 10:01:35 wsrv clamd[18232]: Scanthread: connection shut down (FD 9)
> Feb 2 10:01:35 wsrv clamd[18232]: THRMGR: queue (single) crossed low
> threshold -> signaling
> Feb 2 10:01:35 wsrv clamd[18232]: THRMGR: queue (bulk) crossed low
> threshold -> signaling
> Feb 2 10:01:35 wsrv amavis/pickup[18469]: (18469-01) run_av
> (ClamAV-clamd):
> /var/spool/amavisd/tmp/amavis-20170202T100135-18469-4Hmcgoej/parts
> INFECTED:
> Feb 2 10:01:35 wsrv amavis/pickup[18469]: (18469-01) virus_scan: (),
> detected by 1 scanners: ClamAV-clamd
>
> I see in the logs that the virus names apparently are not passed to
> amavis and the @virus_name_to_spam_score_maps not work in this multiple
> infection case
>
> What I'm missing?
>
OK, the problem was in the amavisd.conf at the @av_scanners section:
don't know why, but missed the /m (Treat string as multiple lines) option
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"],
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
--
Levi
More information about the amavis-users
mailing list