clamav (under amavis) not filtering out viruses!

Dominic Raferd dominic at timedicer.co.uk
Thu Oct 15 13:48:49 CEST 2020


 On Thu, 15 Oct 2020 at 12:15, Nikolaos Milas <nmilas at noa.gr> wrote:
>
> On 15/10/2020 12:52 μ.μ., Dominic Raferd wrote:
>
> > start with something like this to check your amavis virus settings:
> > ...
> > There are other possible explanations too e.g. is amavis calling
> > clamav for incoming mails or is clamav being called directly by the
> > MTA? have you got clamav and amavis user permissions sorted (ensured
> > that clamav and amavis users are both members of each other's group)?
>
> Hi Dominic,
>
> Here is the info you requested (there is no amavis conf.d directory in
> this amavis package):
>
> # grep -r virus_ /etc/amavisd.conf | sed 's/\s*#.*//;/^$/d;/.*:$/d'|sort
> @addr_extension_virus_maps      = ('virus');
>     bypass_virus_checks_maps  => [1],
> $final_virus_destiny      = D_DISCARD;
> @virus_name_to_spam_score_maps =
> $virus_quarantine_method = "local:virus/%n-%m" ;
>
> (I am attaching the whole amavisd.conf for your reference.)
>
> Postfix is calling amavis which in turn scans (clamav / SA) mail:
>
> ===============================  from postfix main.cf
> ================================
>
> content_filter = smtp-amavis:[127.0.0.1]:10024
>
> ======================================================================================
>
> Permissions are OK, because the setup works and *some* viruses are
> identified and quarantined.
>
> However, the thing here is that the main definition database seems to
> not being used. What should we check to make sure that all definition
> databases are being used for filtering?
>
> Can we make sure that the main database is updated correctly and used
> successfully?
>
> By the way, freshclam.log shows successful database updates; for
> example, today:
>
> ======================================================================================
> ClamAV update process started at Thu Oct 15 04:02:26 2020
> main.cld is up to date (version: 59, sigs: 4564902, f-level: 60,
> builder: sigmgr)
> Downloading daily-25957.cdiff [100%]
> daily.cld updated (version: 25957, sigs: 4330982, f-level: 63, builder:
> raynman)
> Can't query
> daily.25957.77.1.0.2606470000000000000000006810da54.ping.clamav.net
> bytecode.cld is up to date (version: 331, sigs: 94, f-level: 63,
> builder: anvilleg)
> Database updated (8895978 signatures) from db.gr.clamav.net (IP:
> 2606:4700::6810:da54)
> Clamd successfully notified about the update.
> ======================================================================================
>
> I am also listing for your reference:
> # ls -lt /var/clamav/
> total 777108
> drwxr-xr-x 6 clamav clamav      4096 Oct 15 12:14 tmp
> -rw-rw-r-- 1 clamav clamav    181612 Oct 15 12:10 blurl.ndb
> ...
> I am attaching here the whole amavisd.conf for your reference.
>

It is unlikely that clamav is not reading its official databases, but
it is very rare for viruses to be found through the official
databases, so the hits you will see in the real world will come from
the unofficial databases (which need to be updated regularly too).
Worth checking your clamav settings (e.g. in /etc/clamav/clamd.conf).

Now I look more closely at your amavis log I see:
Turning AV infection into a spam report: score=5,
AV:winnow.malware.test.eicar.com.UNOFFICIAL=5

This happens because of the settings for
@virus_name_to_spam_score_maps in your amavisd.conf, specifically:
[ qr'^winnow\.malware\.'  => 5.0 ]
- this causes viruses that are identified by a name starting with
'winnow.malware.' to be 'converted' into spam and given a score +5.0.

I think you need to revisit your settings for
@virus_name_to_spam_score_maps. You could remove them entirely to use
the default settings for your version of amavis, or pick up the
latest'n'greatest default settings from
https://gitlab.com/amavis/amavis/-/blob/master/conf/amavisd.conf-default:
I use these with some modifications (including changing scores from
0.1 to 3.0).


More information about the amavis-users mailing list