clamav lets in massive number of infected files

[ebizindia]

Hi

I have been using clamav on my cpanel server for a long time with moderate success.

However I am finding that a massive number of emails with Trojan attachments (.zip mostly) are slipping in without getting caught.

The sender IPs are all different, so we cannot blacklist anyone safely and effectively.

Any other clues to make Clamav work better?

Arun

[Radio_Head]

Hi

I have been using clamav on my cpanel server for a long time with moderate success.

However I am finding that a massive number of emails with Trojan attachments (.zip mostly) are slipping in without getting caught.

The sender IPs are all different, so we cannot blacklist anyone safely and effectively.

Any other clues to make Clamav work better?

Arun

Are you sure your clamav is running ?
http://forums.cpanel.net/f43/you-sur...ly-161613.html

[hermit]

I installed clamconnector. Was a new install and 'forgot' to put it on the new box. Is zlib used for this?

I get the following:

zlib version checking was disabled. zlib versions <= 1.2.1 have a known security vulnerability
See zlib Home Site for more information


Yet:
Excluding Packages in global exclude list
Finished
Setting up Install Process
Package zlib-1.2.3-3.x86_64 already installed and latest version
Package zlib-1.2.3-3.i386 already installed and latest version
Nothing to do

Is there some place I can just manually enable the check?

Thanks.

[hermit]

Hi

I have been using clamav on my cpanel server for a long time with moderate success.

However I am finding that a massive number of emails with Trojan attachments (.zip mostly) are slipping in without getting caught.

The sender IPs are all different, so we cannot blacklist anyone safely and effectively.

Any other clues to make Clamav work better?

Arun

I asked a question but never got a response back. Clamconnector incorrectly says I have the wrong version of something. Zlib or something.

[cPanelDon]

I installed clamconnector. Was a new install and 'forgot' to put it on the new box. Is zlib used for this?

I get the following:

zlib version checking was disabled. zlib versions <= 1.2.1 have a known security vulnerability
See zlib Home Site for more information


Yet:
Excluding Packages in global exclude list
Finished
Setting up Install Process
Package zlib-1.2.3-3.x86_64 already installed and latest version
Package zlib-1.2.3-3.i386 already installed and latest version
Nothing to do

Is there some place I can just manually enable the check?

Thanks.

I do not see an immediate problem with the output that you have provided.

I asked a question but never got a response back. Clamconnector incorrectly says I have the wrong version of something. Zlib or something.

For testing and verification, have you attempted to execute "clamscan" manually to scan compressed archives?

You may refer to the clamscan manual "man" page and help detail for usage information:

Code:

# man clamscan
# clamscan --help

Is ClamAV installed via RPM (precompiled binary), via ClamAVconnector (source-compiled), or both?

Via root SSH access, please provide output from the following command:

Code:

# rpm -qa --qf "%{name}-%{version}-%{release}.%{arch}\n" | grep -i "clam" | sort

[hermit]

I do not see an immediate problem with the output that you have provided.



For testing and verification, have you attempted to execute "clamscan" manually to scan compressed archives?

You may refer to the clamscan manual "man" page and help detail for usage information:

Code:

# man clamscan
# clamscan --help

Is ClamAV installed via RPM (precompiled binary), via ClamAVconnector (source-compiled), or both?

Via root SSH access, please provide output from the following command:

Code:

# rpm -qa --qf "%{name}-%{version}-%{release}.%{arch}\n" | grep -i "clam" | sort

It returns nothing. I went to the clam connector install directory and did a make and make install to get freshclam working. The only thing installed for freshclam was a symbolic link that pointed to nowhere.

The problem remains that I get lots of zip viruses every day.

Clamscan seems to work:
---------- SCAN SUMMARY -----------
Known viruses: 813690
Engine version: 0.96.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 6.050 sec (0 m 6 s)

The only indications of clam in my exim logs are:

root@cp [/home/oooc]# cat /var/log/exim_mainlog |grep clamav
2010-08-08 17:10:02 cwd=/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1 2 args: /usr/sbin/exim -bV
2010-08-08 17:10:02 cwd=/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1 4 args: /usr/sbin/exim -bV -C /etc/exim.conf.buildtest.work.7kqK4pwCP_LkZ3t3

This seems to correspond to the time I installed/reinstalled.

Thanks

[cPanelDon]

It returns nothing. I went to the clam connector install directory and did a make and make install to get freshclam working. The only thing installed for freshclam was a symbolic link that pointed to nowhere.

The problem remains that I get lots of zip viruses every day.

Clamscan seems to work:
---------- SCAN SUMMARY -----------
Known viruses: 813690
Engine version: 0.96.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 6.050 sec (0 m 6 s)

The only indications of clam in my exim logs are:

root@cp [/home/oooc]# cat /var/log/exim_mainlog |grep clamav
2010-08-08 17:10:02 cwd=/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1 2 args: /usr/sbin/exim -bV
2010-08-08 17:10:02 cwd=/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1 4 args: /usr/sbin/exim -bV -C /etc/exim.conf.buildtest.work.7kqK4pwCP_LkZ3t3

This seems to correspond to the time I installed/reinstalled.

Thanks

Via root SSH access, please try the following command to help locate relevant entries:

Code:

# zgrep -Hn "This message contains a virus or other harmful content" /var/log/exim_rejectlog*

The search terms seen above, that of the relevant reject message, was obtained from the following output while searching the Exim configuration file (at "/etc/exim.conf"):

Code:

# egrep -Hn "demime|malware" /etc/exim.conf
/etc/exim.conf:682:deny message = This message contains a virus or other harmful content ($malware_name)
/etc/exim.conf:683:    malware = */defer_ok
/etc/exim.conf:684:    demime = *

[hermit]

Via root SSH access, please try the following command to help locate relevant entries:

Code:

# zgrep -Hn "This message contains a virus or other harmful content" /var/log/exim_rejectlog*

The search terms seen above, that of the relevant reject message, was obtained from the following output while searching the Exim configuration file (at "/etc/exim.conf"):

Code:

# egrep -Hn "demime|malware" /etc/exim.conf
/etc/exim.conf:682:deny message = This message contains a virus or other harmful content ($malware_name)
/etc/exim.conf:683:    malware = */defer_ok
/etc/exim.conf:684:    demime = *

OK. None of this seems to have been added to my exim.conf by clamconnector.

[cPanelDon]

OK. None of this seems to have been added to my exim.conf by clamconnector.

What is the full cPanel version number of the system?

Code:

# cat /usr/local/cpanel/version && echo

[hermit]

what is the full cpanel version number of the system?

Code:

# cat /usr/local/cpanel/version && echo

11.25.0-release_45750

[cPanelDon]

11.25.0-release_45750

Using the latest cPanel RELEASE build I installed the WHM plug-in, ClamAVconnector, and verified the expected entries are properly setup in the Exim configuration file, at /etc/exim.conf; I then also verified that the entries still exist after resetting the Exim configuration:

Code:

# egrep -Hn "demime|malware" /etc/exim.conf
/etc/exim.conf:533:deny message = This message contains a virus or other harmful content ($malware_name)
/etc/exim.conf:534:    malware = */defer_ok
/etc/exim.conf:535:    demime = *

# grep '' /etc/redhat-release /var/cpanel/envtype /usr/local/cpanel/version
/etc/redhat-release:CentOS release 5.5 (Final)
/var/cpanel/envtype:vmware
/usr/local/cpanel/version:11.25.0-RELEASE_46156

I recommend performing the following steps in attempt to correct a broken Exim configuration where it is not properly using ClamAV:

1. Force a cPanel re-install and update to the latest build:
   
   Code:

   # /scripts/upcp --force

2. Force a re-install of Exim:
   
   Code:

   # /scripts/eximup --force

3. Uninstall ClamAVconnector plug-in via WHM:
   • WHM: Main >> cPanel >> Manage Plugins >> clamavconnector >> Click 'Uninstall clamavconnector'
4. Reinstall ClamAVconnector plug-in via WHM:
   • WHM: Main >> cPanel >> Manage Plugins >> clamavconnector >> Tick Check-box 'Install and Keep Updated' >> Click Save
5. Reset Exim Configuration via WHM:
   • WHM: Main >> Service Configuration >> Exim Configuration Editor >> Reset Configuration

[hermit]

I'll know for sure tomorrow if I get my usual compliments of zip viruses, but:

root@cp [/home/oooc]# egrep -Hn "demime|malware" /etc/exim.conf
root@cp [/home/oooc]#


Also, since freshclam was broken last time I tried I figured I'd give that a test. I got:
root@cp [/home/oooc]# /usr/bin/freshclam
/usr/bin/freshclam: error while loading shared libraries: libclamav.so.6: cannot open shared object file: No such file or directory


root@cp [/home/oooc]# grep '' /etc/redhat-release /var/cpanel/envtype /usr/local/cpanel/version
/etc/redhat-release:CentOS release 5.5 (Final)
/var/cpanel/envtype:standard
/usr/local/cpanel/version:11.25.0-RELEASE_46156

[hermit]

Still nothing in the /etc/exim.conf file and no viruses stopped last night. There was nothing like what you showed before I reset the exim.conf either.

[hermit]

Found this in the logs:

make[1]: Leaving directory `/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1/libclamav'
Unable to locate clamd

Anyhow, I just finished installing using the install script on the command line and it seems to have worked. I can grep clamd out of a ps and netstat command. Grep also pulled some of the config you have listed before.

[cPanelDon]

Found this in the logs:

make[1]: Leaving directory `/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1/libclamav'
Unable to locate clamd

Anyhow, I just finished installing using the install script on the command line and it seems to have worked. I can grep clamd out of a ps and netstat command. Grep also pulled some of the config you have listed before.

If persistent difficulty is encountered during a normal uninstall and then fresh install -- strictly using WHM -- please consider submitting a support request so that we may assist with investigating the issue.