clamav (under amavis) not filtering out viruses!

Nikolaos Milas nmilas at noa.gr
Thu Oct 15 10:51:33 CEST 2020 

Hello,

As you may also see in another mail (thread) I have started (for bayes 
db migration), we have an installation with 
postfix/amavis/clamav/spamassassin on CentOS 6 using (legacy?) rpmforge 
packages (for amavis/clamav).

The setup includes scamp 5.6 
(https://sourceforge.net/projects/scamp/files/scamp/scamp-5.6/), which 
seems unsupported (not updated since 2013), to include additional clamav 
definition files.

In fact, we have two identical mail gateway servers for incoming mail. I 
have started migrating the one of them, so it is no more available as an 
MX server.

My problem is with our currently one and only MX Server (yes the one 
with the rpmforge installation): it seems to be allowing virus-infected 
mails to pass through. (The same problem was occurring to the other twin 
server, that's why I started migration.)

Our users have started receiving significant amounts of virus-infected 
mails, and this issue has triggered an investigation from our part, to 
find out the cause.

I have tested with a test signature 
(https://www.eicar.org/?page_id=3950) in an attachment and although it 
was detected, it reached its destination as sent, without modification. 
I found in amavisd.log:

Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) p003 1 Content-Type: 
multipart/mixed
Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) p001 1/1 Content-Type: 
text/plain, size: 57 B, name:
Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) p002 1/2 Content-Type: 
text/plain, size: 68 B, name: vir-test.txt
Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) Checking for banned 
types and filenames
Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) collect banned 
table[0]: nmilas at admin.noa.gr, tables: 
DEFAULT=>Amavis::Lookup::RE=ARRAY(0x38127f8)
Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) p.path 
nmilas at admin.noa.gr: "P=p003,L=1,M=multipart/mixed | 
P=p001,L=1/1,M=text/plain,T=asc"
Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) p.path 
nmilas at admin.noa.gr: "P=p003,L=1,M=multipart/mixed | 
P=p002,L=1/2,M=text/plain,T=asc,N=vir-test.txt"
Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) presenting full 
original message to scanners as 
/var/amavis/tmp/amavis-20201015T092702-28341-iVNTHGzi/parts/p004
Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) run_av Using 
(ClamAV-clamd): (code) CONTSCAN 
/var/amavis/tmp/amavis-20201015T092702-28341-iVNTHGzi/parts\n
Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) ClamAV-clamd: 
Connecting to socket  /var/run/clamav/clamd.sock
Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) new socket by 
IO::Socket::UNIX to /var/run/clamav/clamd.sock, timeout 10
Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) ClamAV-clamd: Sending 
CONTSCAN /var/amavis/tmp/amavis-20201015T092702-28341-iVNTHGzi/parts\n 
to socket /var/run/clamav/clamd.sock
Oct 15 09:32:25 mailgw3 clamd[6612]: 
/var/amavis/tmp/amavis-20201015T092702-28341-iVNTHGzi/parts/p004: 
winnow.malware.test.eicar.com.UNOFFICIAL FOUND
Oct 15 09:32:25 mailgw3 clamd[6612]: 
/var/amavis/tmp/amavis-20201015T092702-28341-iVNTHGzi/parts/p002: 
winnow.malware.test.eicar.com.UNOFFICIAL FOUND
Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) rw_loop read: got eof
Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) run_av (ClamAV-clamd): 
/var/amavis/tmp/amavis-20201015T092702-28341-iVNTHGzi/parts INFECTED: 
winnow.malware.test.eicar.com.
UNOFFICIAL, winnow.malware.test.eicar.com.UNOFFICIAL
Oct 15 09:32:25 mailgw3 amavis[28341]: (28341-12) Turning AV infection 
into a spam report: score=5, AV:winnow.malware.test.eicar.com.UNOFFICIAL=5

Questions:

* Why this attachment was allowed to go through and was not discarded?
* What does "Turning AV infection into a spam report" mean?

Secondly, I have the impression that clamav does not filter viruses 
using its main database, but rather using its additional definitions 
only. I see in clamd.log:

...
Wed Oct 14 12:19:53 2020 -> Reading databases from /var/clamav
Wed Oct 14 12:20:14 2020 -> Database correctly reloaded (9503074 signatures)
Wed Oct 14 12:31:10 2020 -> SelfCheck: Database status OK.
Wed Oct 14 12:42:21 2020 -> SelfCheck: Database status OK.
Wed Oct 14 12:44:08 2020 -> 
/var/amavis/tmp/amavis-20201014T123657-07529-o2hBupiQ/parts/p002: 
Porcupine.Junk.45095.UNOFFICIAL FOUND
Wed Oct 14 12:44:08 2020 -> 
/var/amavis/tmp/amavis-20201014T123657-07529-o2hBupiQ/parts/p001: 
Porcupine.Junk.45095.UNOFFICIAL FOUND
Wed Oct 14 12:52:01 2020 -> 
/var/amavis/tmp/amavis-20201014T124433-07659-xHHpAJXE/parts/p002: 
Sanesecurity.Jurlbl.807f42.UNOFFICIAL FOUND
Wed Oct 14 12:52:22 2020 -> SelfCheck: Database status OK.
<19 identical messages, every ~10 minutes>
Wed Oct 14 16:15:52 2020 -> Reading databases from /var/clamav
Wed Oct 14 16:16:12 2020 -> Database correctly reloaded (9503099 signatures)
Wed Oct 14 16:26:15 2020 -> SelfCheck: Database status OK.
<22 identical messages, every ~10 minutes>
Wed Oct 14 20:16:23 2020 -> Reading databases from /var/clamav
Wed Oct 14 20:16:43 2020 -> Database correctly reloaded (9503207 signatures)
...

...while at the same time we have been receiving infected mail! For 
example, here is an email with a confirmed (scanned with Avira Free) 
infected attachment:

Oct 14 17:15:32 mailgw3 amavis[12512]: (12512-20) presenting full 
original message to scanners as 
/var/amavis/tmp/amavis-20201014T170853-12512-0BLIG2lc/parts/p004
Oct 14 17:15:32 mailgw3 amavis[12512]: (12512-20) run_av Using 
(ClamAV-clamd): (code) CONTSCAN 
/var/amavis/tmp/amavis-20201014T170853-12512-0BLIG2lc/parts\n
Oct 14 17:15:32 mailgw3 amavis[12512]: (12512-20) ClamAV-clamd: 
Connecting to socket  /var/run/clamav/clamd.sock
Oct 14 17:15:32 mailgw3 amavis[12512]: (12512-20) new socket by 
IO::Socket::UNIX to /var/run/clamav/clamd.sock, timeout 10
Oct 14 17:15:32 mailgw3 amavis[12512]: (12512-20) ClamAV-clamd: Sending 
CONTSCAN /var/amavis/tmp/amavis-20201014T170853-12512-0BLIG2lc/parts\n 
to socket /var/run/clamav/clamd.sock
Oct 14 17:15:32 mailgw3 amavis[12512]: (12512-20) rw_loop read: got eof
Oct 14 17:15:32 mailgw3 amavis[12512]: (12512-20) run_av (ClamAV-clamd): 
CLEAN
Oct 14 17:15:32 mailgw3 amavis[12512]: (12512-20) run_av (ClamAV-clamd) 
result: clean

Please advise me: how can I find out what is going wrong with 
clamav/amavis and correct things?

In essence, we need to stop the virus-infected mail flooding.

Please advise!

Thanks in advance for your kind assistance,
Nick

More information about the amavis-users mailing list