Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED ClamAV email question

Discussion in 'E-mail Discussion' started by equens, Nov 23, 2017.

Tags:
  1. equens

    equens Well-Known Member

    Joined:
    Feb 8, 2002
    Messages:
    274
    Likes Received:
    2
    Trophy Points:
    316
    Hello, does ClamAV scan all incoming messages by default when ClamAV for cPanel is installed?

    Thanks!
    Equens.
     
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    834
    Likes Received:
    302
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    After installing ClamAV for cPanel, you will probably need to take some further steps for full functionality.

    Go to WHM >> Service Configuration >> Exim Configuration Manager > Basic Editor > Security .... and enable (switch ON) the following:

    Scan messages for malware from authenticated senders (exiscan).
    If you have the ClamAVconnector plugin installed, messages from authenticated senders are not scanned until you enable this option. It is recommended that you scan mail for authenticated senders when possible to reduce the risk of viruses spreading inside your network.​

    Scan outgoing messages for malware
    If you have the ClamAVconnector plugin installed, enabling this option will reject mail bound for non-local domains that test positive for malware.
    Full information at Configure ClamAV Scanner - Version 68 Documentation - cPanel Documentation
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 rpvw, Nov 23, 2017
    Last edited: Nov 23, 2017
    equens likes this.
  3. equens

    equens Well-Known Member

    Joined:
    Feb 8, 2002
    Messages:
    274
    Likes Received:
    2
    Trophy Points:
    316
    I was mis confused about this, I thought that authenticated senders was also outgoing messages.

    Thanks a lot for your help.
    Equens.



     
  4. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    834
    Likes Received:
    302
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    I found the cPanel documentation to be unhelpfully vague on the question of whether ClamAV for cPanel scans incoming mail out-of-the-box following installation.

    The instructions all allude to the prerequisite of performing additional steps to integrate ClamAV Scanner with Exim, but then talk about authenticated users, which I also interpreted as being only relevant to outgoing senders.

    As a result of my doubt, I actually had to go back and edit my post to say "further steps for full functionality" and I am still very uncertain as to what the unequivocable facts may be.

    Whilst I have to commend cPanel for the huge amount of work and effort they put into the documentation, it is woefully apparent that the docs are written by people with a profound knowledge of the subject, but who perhaps neglect to revise and read the finished work from the perspective and lack of knowledge of the end user.

    In this case, and assuming it is a true statement, I don't see why a simple directive like .....
    ..... would disambiguate the instructions.

    As a final thought to document writers; remember, it's not what you know that is important, it's what the reader doesn't know, which is presumably why they are reading your docs in the first place !! o_O
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    equens likes this.
  5. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    834
    Likes Received:
    302
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    As a quick update to the whole ClamAV subject - I stumbled on a new test I hadn't seen before at DNS tools | Manage Monitor Analyze | DNSstuff

    After resolving the MX test for an email address (that exists on your server) you should see an option to run the Anti-Virus Filtering Test. This sends a number of test emails to the address you specified. (Make sure you have disabled greylisting for the email domain you are using for the duration of the test)

    These emails contain the EICAR Anti-Virus Test Signature in a variety of containers such as an .EXE file, a .BIN file, and a zipped .EXE file.


    The results I obtained were as follows:
    ....and all of the emails were rejected by Exim as soon as they were scanned.

    So what does this tell us ?
    Well it could demonstrate that ClamAV is only good for detecting EICAR Anti-Virus Test Signatures ! But after examining the exim logs for the string "This message contains a virus or other harmful content" I was gratified to find that it does indeed find and reject a wide variety of signature based exploits as well as the examples listed above.

    As usual, one needs to be mindful of the fact that this system is a signature based solution, so don't be surprised if you go back and run a scan on a domain email folder, and find a whole lot of infected files that slipped through before a signature was written and subsequently published.

    Many server admins will opine that all anti-virus should be done on the end user device and not on a server. Whilst a I cannot agree more that the end user device absolutely needs it's own anti-virus solution, I do wonder if the abnegation of a server side solution has more to do with under-powered (or over exploited) servers than with any true conviction.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    equens likes this.
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Regarding the following document:

    Configure ClamAV Scanner - Version 68 Documentation - cPanel Documentation

    Could you elaborate a little more on how you'd like to see it improved? It does provide a separate section noting that you must enable it separately for Exim:

    This is required to enable virus scanning for both incoming and outgoing email.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    834
    Likes Received:
    302
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Hi Michael, thank you for your input.

    My confusion arose (as did equens it seems) by the instuction Scan messages for malware from authenticated senders

    As a result of the statement I made in my post above being incorrect, since you have confirmed that no automated anti-virus scanning will be performed on neither incoming nor outgoing mail without first completing the additional steps as detailed below; I should like to suggest that the lines that need disambiguation are:

    1. Navigate to the Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager >> Basic Editor >> Security).
    2. For the Scan messages for malware from authenticated senders (exiscan) option, select the On setting.
    3. For the Scan outgoing messages for malware option, select the On setting.
    4. Click Save.
    My feeble mind keeps telling me that item 2. about authenticated senders is about my users connecting to my exim mail server using authenticated SMTP, and sending mail (which is outgoing mail in my book), and then item 3. tells me about scanning outgoing mail.........o_O

    Nowhere does it explicitly mention incoming mail and the av scanning thereof.
    I probably need more Whiskey !!
    In the grand scheme of things, you probably have much better things to do than reading my ramblings, but thank you for showing an interest.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Thanks for the clarification. I did some testing and reviewed the Exim content scanning document to verify the virus scanning feature works as expected.

    1. By default, the following entries will always exist in the /etc/exim.conf file on a cPanel server (whether the ClamAV plugin is installed or not):

    Code:
    # BEGIN INSERT default_exiscan
    
            deny message = This message contains a virus or other harmful content ($malware_name)
                 malware = */defer_ok
    
        warn log_message = Message has been scanned: no virus or other harmful content was found
    
    # END INSERT default_exiscan
    Code:
    av_scanner = clamd:/var/clamd
    Thus, once the ClamAV for cPanel plugin is installed, the /var/clamd socket is detected and Exim begins automatically scanning incoming email for viruses.

    2. There are two additional options available under the "Security" tab in "WHM >> Exim Configuration Manager >> Basic Editor" that are relevant to virus scanning for outgoing email:

    A. Scan messages for malware from authenticated senders (exiscan).

    This option relates to outgoing email only. It controls whether you want to scan messages sent from email users that authenticate via SMTP authentication before sending.

    B. Scan outgoing messages for malware

    This option relates to outgoing email only. Per it's description, if you have the ClamAVconnector plugin installed, enabling this option will reject mail bound for non-local domains that test positive for malware.

    I've opened a case with our Documentation team (DOC-9904) to request clarification of how this works on the following document:

    Configure ClamAV Scanner - Version 68 Documentation - cPanel Documentation

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. EneTar

    EneTar Well-Known Member

    Joined:
    Dec 19, 2015
    Messages:
    137
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    Greece
    cPanel Access Level:
    Root Administrator
    Are those indeed only for the outgoing messages?

    The documentation should be updated with the outcome.
     
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Right, those options are for users that are authenticating to send via SMTP on the cPanel server.

    Internal case DOC-9904 is still open and under review at this time. I'll update this thread again once any changes are published to the document.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice