SOLVED ClamAV email question

equens

Well-Known Member
Feb 8, 2002
283
5
318
Hello, does ClamAV scan all incoming messages by default when ClamAV for cPanel is installed?

Thanks!
Equens.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
After installing ClamAV for cPanel, you will probably need to take some further steps for full functionality.

Go to WHM >> Service Configuration >> Exim Configuration Manager > Basic Editor > Security .... and enable (switch ON) the following:

Scan messages for malware from authenticated senders (exiscan).
If you have the ClamAVconnector plugin installed, messages from authenticated senders are not scanned until you enable this option. It is recommended that you scan mail for authenticated senders when possible to reduce the risk of viruses spreading inside your network.​

Scan outgoing messages for malware
If you have the ClamAVconnector plugin installed, enabling this option will reject mail bound for non-local domains that test positive for malware.
Full information at Configure ClamAV Scanner - Version 68 Documentation - cPanel Documentation
 
Last edited:
  • Like
Reactions: equens

equens

Well-Known Member
Feb 8, 2002
283
5
318
Scan messages for malware from authenticated senders (exiscan).
If you have the ClamAVconnector plugin installed, messages from authenticated senders are not scanned until you enable this option. It is recommended that you scan mail for authenticated senders when possible to reduce the risk of viruses spreading inside your network.​
I was mis confused about this, I thought that authenticated senders was also outgoing messages.

Thanks a lot for your help.
Equens.



 

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
I found the cPanel documentation to be unhelpfully vague on the question of whether ClamAV for cPanel scans incoming mail out-of-the-box following installation.

The instructions all allude to the prerequisite of performing additional steps to integrate ClamAV Scanner with Exim, but then talk about authenticated users, which I also interpreted as being only relevant to outgoing senders.

As a result of my doubt, I actually had to go back and edit my post to say "further steps for full functionality" and I am still very uncertain as to what the unequivocable facts may be.

Whilst I have to commend cPanel for the huge amount of work and effort they put into the documentation, it is woefully apparent that the docs are written by people with a profound knowledge of the subject, but who perhaps neglect to revise and read the finished work from the perspective and lack of knowledge of the end user.

In this case, and assuming it is a true statement, I don't see why a simple directive like .....
Important

If you want to use the ClamAV Scanner to scan outgoing mail as well, you must perform additional steps if you wish to integrate ClamAV Scanner with Exim.
..... would disambiguate the instructions.

As a final thought to document writers; remember, it's not what you know that is important, it's what the reader doesn't know, which is presumably why they are reading your docs in the first place !! o_O
 
  • Like
Reactions: equens

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
As a quick update to the whole ClamAV subject - I stumbled on a new test I hadn't seen before at DNS tools | Manage Monitor Analyze | DNSstuff

After resolving the MX test for an email address (that exists on your server) you should see an option to run the Anti-Virus Filtering Test. This sends a number of test emails to the address you specified. (Make sure you have disabled greylisting for the email domain you are using for the duration of the test)

These emails contain the EICAR Anti-Virus Test Signature in a variety of containers such as an .EXE file, a .BIN file, and a zipped .EXE file.


The results I obtained were as follows:
The response by your mail server to the Anti-Virus Test is below:
.COM Attachment -- 550 This message contains a virus or other harmful content
.BAT Attachment -- 550 This message contains a virus or other harmful content
GZipped .EXE -- 550 This message contains a virus or other harmful content
.BIN Attachment -- 550 This message contains a virus or other harmful content
.EXE Attachment -- 550 This message contains a virus or other harmful content
Zipped .EXE -- 550 This message contains a virus or other harmful content
....and all of the emails were rejected by Exim as soon as they were scanned.

So what does this tell us ?
Well it could demonstrate that ClamAV is only good for detecting EICAR Anti-Virus Test Signatures ! But after examining the exim logs for the string "This message contains a virus or other harmful content" I was gratified to find that it does indeed find and reject a wide variety of signature based exploits as well as the examples listed above.

As usual, one needs to be mindful of the fact that this system is a signature based solution, so don't be surprised if you go back and run a scan on a domain email folder, and find a whole lot of infected files that slipped through before a signature was written and subsequently published.

Many server admins will opine that all anti-virus should be done on the end user device and not on a server. Whilst a I cannot agree more that the end user device absolutely needs it's own anti-virus solution, I do wonder if the abnegation of a server side solution has more to do with under-powered (or over exploited) servers than with any true conviction.
 
  • Like
Reactions: equens

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

Regarding the following document:

Configure ClamAV Scanner - Version 68 Documentation - cPanel Documentation

Could you elaborate a little more on how you'd like to see it improved? It does provide a separate section noting that you must enable it separately for Exim:

You must perform these additional steps if you wish to integrate ClamAV Scanner with Exim.
This is required to enable virus scanning for both incoming and outgoing email.

Thank you.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
Hi Michael, thank you for your input.

My confusion arose (as did equens it seems) by the instuction Scan messages for malware from authenticated senders

As a result of the statement I made in my post above being incorrect, since you have confirmed that no automated anti-virus scanning will be performed on neither incoming nor outgoing mail without first completing the additional steps as detailed below; I should like to suggest that the lines that need disambiguation are:

  1. Navigate to the Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager >> Basic Editor >> Security).
  2. For the Scan messages for malware from authenticated senders (exiscan) option, select the On setting.
  3. For the Scan outgoing messages for malware option, select the On setting.
  4. Click Save.
My feeble mind keeps telling me that item 2. about authenticated senders is about my users connecting to my exim mail server using authenticated SMTP, and sending mail (which is outgoing mail in my book), and then item 3. tells me about scanning outgoing mail.........o_O

Nowhere does it explicitly mention incoming mail and the av scanning thereof.
I probably need more Whiskey !!
In the grand scheme of things, you probably have much better things to do than reading my ramblings, but thank you for showing an interest.
 
  • Like
Reactions: serg499

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

Thanks for the clarification. I did some testing and reviewed the Exim content scanning document to verify the virus scanning feature works as expected.

1. By default, the following entries will always exist in the /etc/exim.conf file on a cPanel server (whether the ClamAV plugin is installed or not):

Code:
# BEGIN INSERT default_exiscan

        deny message = This message contains a virus or other harmful content ($malware_name)
             malware = */defer_ok

    warn log_message = Message has been scanned: no virus or other harmful content was found

# END INSERT default_exiscan
Code:
av_scanner = clamd:/var/clamd
Thus, once the ClamAV for cPanel plugin is installed, the /var/clamd socket is detected and Exim begins automatically scanning incoming email for viruses.

2. There are two additional options available under the "Security" tab in "WHM >> Exim Configuration Manager >> Basic Editor" that are relevant to virus scanning for outgoing email:

A. Scan messages for malware from authenticated senders (exiscan).

This option relates to outgoing email only. It controls whether you want to scan messages sent from email users that authenticate via SMTP authentication before sending.

B. Scan outgoing messages for malware

This option relates to outgoing email only. Per it's description, if you have the ClamAVconnector plugin installed, enabling this option will reject mail bound for non-local domains that test positive for malware.

I've opened a case with our Documentation team (DOC-9904) to request clarification of how this works on the following document:

Configure ClamAV Scanner - Version 68 Documentation - cPanel Documentation

Thank you.
 

EneTar

Well-Known Member
Dec 19, 2015
157
12
68
Greece
cPanel Access Level
Root Administrator
2. There are two additional options available under the "Security" tab in "WHM >> Exim Configuration Manager >> Basic Editor" that are relevant to virus scanning for outgoing email:

A. Scan messages for malware from authenticated senders (exiscan).

This option relates to outgoing email only. It controls whether you want to scan messages sent from email users that authenticate via SMTP authentication before sending.

B. Scan outgoing messages for malware

This option relates to outgoing email only. Per it's description, if you have the ClamAVconnector plugin installed, enabling this option will reject mail bound for non-local domains that test positive for malware.
Are those indeed only for the outgoing messages?

I've opened a case with our Documentation team (DOC-9904) to request clarification of how this works on the following document:
The documentation should be updated with the outcome.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Are those indeed only for the outgoing messages?
Right, those options are for users that are authenticating to send via SMTP on the cPanel server.

The documentation should be updated with the outcome.
Internal case DOC-9904 is still open and under review at this time. I'll update this thread again once any changes are published to the document.

Thank you.