ClamAV detection does not trigger Amavis virus action

Dominic Raferd dominic at timedicer.co.uk
Tue Dec 18 08:02:55 CET 2018 

I use ClamAV (with SaneSecurity addons) as my primary (and only) antivirus
scanner under amavisd-new-2.11.0. I have always assumed that if ClamAV
finds something, Amavis will take the defined 'virus action' (in my case
this is to block i.e. discard the mail), but I now find this is not
necessarily the case:

In this case the infected mail is blocked:
2018-12-17 12:13:41 vps1 clamd[1081]: Mon Dec 17 12:13:41 2018 ->
~/var/lib/amavis/tmp/amavis-20181217T111618-20069-1T2DHFXX/parts/p002:
MBL_20559167.UNOFFICIAL(00000000000000000000000000000000:552) FOUND
2018-12-17 12:13:41 vps1 clamd[1081]:
/var/lib/amavis/tmp/amavis-20181217T111618-20069-1T2DHFXX/parts/p002:
MBL_20559167.UNOFFICIAL(00000000000000000000000000000000:552) FOUND
2018-12-17 12:13:41 vps1 amavis[20069]: (20069-10) Blocked INFECTED
(MBL_20559167.UNOFFICIAL) {DiscardedInbound}, INCOMING
[193.233.31.24]:54896 [193.233.31.24] <billing at orientalwisdom.info> -> <
tricia at streamingbats.co.uk>, Queue-ID: B2F163E85E, Message-ID: <
2d07b915e16bccc0ef2a9ccf3bf78d8195e80cf6 at orientalwisdom.info>, mail_id:
kFYoqSLUSVWw, Hits: -, size: 2602, 194 ms

But in this case it isn't:
2018-12-16 13:49:14 vps1 clamd[1081]: Sun Dec 16 13:49:14 2018 ->
~/var/lib/amavis/tmp/amavis-20181216T101603-18225-tHPkrYWE/parts/p002:
Sanesecurity.Blurl.989ed7.UNOFFICIAL(00000000000000000000000000000000:25273)
FOUND
2018-12-16 13:49:14 vps1 clamd[1081]:
/var/lib/amavis/tmp/amavis-20181216T101603-18225-tHPkrYWE/parts/p002:
Sanesecurity.Blurl.989ed7.UNOFFICIAL(00000000000000000000000000000000:25273)
FOUND
2018-12-16 13:49:16 vps1 amavis[18225]: (18225-19) Passed CLEAN
{RelayedInbound}, INCOMING [54.240.27.30]:60070 [54.240.27.30] <
01010167b7102d87-3d5db8e0-1b25-4732-87c9-66ceaa6499c1-000000 at us-west-2.amazonses.com>
-> <phil at streamingbats.co.uk>, Queue-ID: C4E973E8CA, Message-ID: <
01010167b7102d87-3d5db8e0-1b25-4732-87c9-66ceaa6499c1-000000 at us-west-2.amazonses.com>,
mail_id: K3LXdSUItskO, Hits: 2.951, size: 57240, queued_as: 701F63F9AE,
2264 ms

Any ideas as to why the difference? Is this intended behaviour and if so is
it wise and can it be changed? My relevant Amavis settings are:

$virus_quarantine_method = undef;
$banned_files_quarantine_method = 'local:banned-%m';
$spam_quarantine_method = 'local:spam-%m';
$bad_header_quarantine_method = undef;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20181218/48097c5f/attachment.html>

More information about the amavis-users mailing list