clamav (under amavis) not filtering out viruses!

Dominic Raferd dominic at timedicer.co.uk
Thu Oct 15 11:52:26 CEST 2020


On Thu, 15 Oct 2020 at 09:52, Nikolaos Milas <nmilas at noa.gr> wrote:
>
> Hello,
>
> As you may also see in another mail (thread) I have started (for bayes
> db migration), we have an installation with
> postfix/amavis/clamav/spamassassin on CentOS 6 using (legacy?) rpmforge
> packages (for amavis/clamav).
>
> The setup includes scamp 5.6
> (https://sourceforge.net/projects/scamp/files/scamp/scamp-5.6/), which
> seems unsupported (not updated since 2013), to include additional clamav
> definition files.
>
> In fact, we have two identical mail gateway servers for incoming mail. I
> have started migrating the one of them, so it is no more available as an
> MX server.
>
> My problem is with our currently one and only MX Server (yes the one
> with the rpmforge installation): it seems to be allowing virus-infected
> mails to pass through. (The same problem was occurring to the other twin
> server, that's why I started migration.)
>
> Our users have started receiving significant amounts of virus-infected
> mails, and this issue has triggered an investigation from our part, to
> find out the cause.
>
> I have tested with a test signature
> (https://www.eicar.org/?page_id=3950) in an attachment and although it
> was detected, it reached its destination as sent, without modification.
> I found in amavisd.log:
>
> ...
>
> Please advise me: how can I find out what is going wrong with
> clamav/amavis and correct things?
>
> In essence, we need to stop the virus-infected mail flooding.

start with something like this to check your amavis virus settings:

grep -r virus_ /etc/amavis/conf.d|sed 's/\s*#.*//;/^$/d;/.*:$/d'|sort

This would be typical to be included in the output (and not overridden
by later lines):

$final_virus_destiny      = D_DISCARD;
$virus_quarantine_method = 'local:virus-%m';

- with these settings the incoming email is not actually discarded, it
is placed in local quarantine. But if you have D_PASS then the virus
passes straight through.

There are other possible explanations too e.g. is amavis calling
clamav for incoming mails or is clamav being called directly by the
MTA? have you got clamav and amavis user permissions sorted (ensured
that clamav and amavis users are both members of each other's group)?


More information about the amavis-users mailing list