Kaspersky Security amavis

Indunil Jayasooriya indunil75 at gmail.com
Tue Jun 6 10:06:05 CEST 2023 

Hi,

Please see this output. It seems to work.

[root at mailgw ~]# /opt/kaspersky/klms/bin/kavscanner /tmp/eicar_com.zip

Kaspersky Anti-Virus On-Demand Scanner.
Copyright (C) Kaspersky Lab, 1997-2012.
There are 21371737 records loaded, the latest update 23-05-2023
Config file: /etc/opt/kaspersky/klms/kavscanner_defaults.conf
/tmp/eicar_com.zip Archive ZIP
/tmp/eicar_com.zip//eicar.com INFECTED EICAR-Test-File


in /etc/amavisd/amavisd.conf, I now only enabled Kaspersky and disabled
clamav.
please see below.

@av_scanners = (

['Kaspersky Security 8.0 for Linux Mail Server',
\&ask_daemon, ["nCONTSCAN {}\n", "/var/run/klms/rds_av"],
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

  ### http://www.clamav.net/
##  ['ClamAV-clamd',
##    \&ask_daemon, ["CONTSCAN {}\n", "/run/clamd.amavisd/clamd.sock"],
##    qr/\bOK$/m, qr/\bFOUND$/m,
##    qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

and

@av_scanners_backup = (

  ### http://www.clamav.net/   - backs up clamd or Mail::ClamAV
##  ['ClamAV-clamscan', 'clamscan',
##    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
##    [0], qr/:.*\sFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

Now Kaspersky Security is only running as primary. please see below

 amavis[15811]:Using primary internal av scanner code for Kaspersky
Security 8.0 for Linux Mail Server

Here I send a mail

[root at mailgw ~]# mail -a /tmp/eicar_com.zip root
Subject: test
.
EOT
Null message body; hope that's ok

and see the output of tail -f /var/log/mail.log

amavis[15814]:(15814-01) Blocked INFECTED (EICAR-Test-File)
{DiscardedInbound,Quarantined},

Kaspersky seems to work.

Your ideas are welcome.





On Tue, Jun 6, 2023 at 11:44 AM Olivier <Olivier.Nicole at cs.ait.ac.th> wrote:

> Hi Indunil,
>
> > I attached a test EICAR file. ClamAV detected. But Kaspersky did NOT.
> >
> > See the log of how clamd detected.
> >
> > clamd
> >
> [1300]:/var/spool/amavisd/tmp/amavis-20230604T171813-16458-RYQrx2PC/parts/p003:
> > Win.Test.EICAR_HDB-1 FOUND
> >
> > Primary AV is Kaspersky Security. Please see below.
> >
> > amavis[16978]:Using primary internal av scanner code for Kaspersky
> Security
> > 8.0 for Linux Mail Server
> > amavis[16978]:Using primary internal av scanner code for ClamAV-clamd
> > amavis[16978]:Found secondary av scanner ClamAV-clamscan at
> > /usr/bin/clamscan
>
> Can you confirm that Kaspersy is working: save the message with EICAR in
> a file and submit that file to Kaspersky manually.
>
> Amavis may need some tweaking to be able to recognise the error message
> returned by Kaspersky.
>
> Best regards,
>
> Olivier
>
> >
> > Hope to hear from you.
> >
> > On Tue, May 23, 2023 at 12:58 PM Matus UHLAR - fantomas
> > <uhlar at fantomas.sk> wrote:
> >
> >  On 22.05.23 08:33, Indunil Jayasooriya wrote:
> >  >Has anyone integrated Kaspersky Security with amavis?
> >  >
> >  >This is the url I followed.
> >  >
> >  >https://support.kaspersky.com/KLMS/8.2/en-US/62460.htm
> >  >
> >  >I did it. But I get below erros.
> >  >
> >  >2023 May 22 08:04:56 server amavis[1769]:(01769-04) (!)connect to
> >  >/var/run/klms/rds_av failed, attempt #1: Can't connect to a UNIX socket
> >  >/var/run/klms/rds_av: Permission denied
> >  >2023 May 22 08:04:57 server amavis[1769]:(01769-04) (!)Kaspersky
> >  Security
> >  >8.0 for Linux Mail Server: All attempts (1) failed connecting to
> >  >/var/run/klms/rds_av, retrying (2)
> >  >
> >  >2023 May 22 08:11:57 server amavis[1768]:(01768-05) (!)Kaspersky
> >  Security
> >  >8.0 for Linux Mail Server av-scanner FAILED: run_av error: Too many
> >  retries
> >  >to talk to /var/run/klms/rds_av (All attempts (1) failed connecting to
> >  >/var/run/klms/rds_av) at (eval 132) line 659.\n
> >  >
> >  >Here is the permission.
> >  >
> >  >ls -al /var/run/klms/rds_av
> >  >srw-rw---- 1 kluser klusers 0 May 17 01:35 /var/run/klms/rds_av
> >
> >  you must have read/execure permissions for /var/run/klms/ directory too.
> >  Run:
> >
> >  ls -la /var/run/klms/
> >
> >  >some additional info.
> >  >
> >  ># id amavis
> >  >uid=996(amavis) gid=993(amavis) groups=993(amavis),991(klusers)
> >
> >  this should help if the /var/run/klms/ has 'rx' permissions for group
> >  klusers.
> >
> >  --
> >  Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> >  Warning: I wish NOT to receive e-mail advertising to this address.
> >  Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu
> >  postu.
> >  "The box said 'Requires Windows 95 or better', so I bought a Macintosh".
>
> --
>


-- 
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20230606/b6ea2100/attachment.htm>

More information about the amavis-users mailing list