Clamav + Exiscan Allowing Viruses through - for you as well probably

mydomain

Well-Known Member
Aug 10, 2003
138
0
166
We have clamav installed through the WHM option for clamavconnector. We have spamassassin running alongside it with razor agents, DCC, rules du jour, HELO checks etc etc.

I am slightly worried here as we have several customers reporting viruses getting through CLAMAV scanning. We know clamd is running as tailing the mainlog for exim shows it is working for things such as eicar and some other viruses however if the SoberI worm code is contained within a batch file zipped up or within the email and sent then the server will just happily allow it through. ClamAV does not pick this up and does not appear to be able to decode the content.

Has anyone else experienced this and can you suggest where to go from here or what to do.
 

mydomain

Well-Known Member
Aug 10, 2003
138
0
166
Me again...

Just to add as found something else out.... Our implementation allows the user to run clamAV scan on their home directory, mail files, web root etc from within their cPanel area. If you manually scan the mail files using clamav then it picks up the virus:

Worm.Sober.I

Why is clamav not picking the infected mail up at the mail gateway level? Would really appreciate some help with this.
 

damainman

Well-Known Member
Nov 13, 2003
515
0
166
Have you asked cpanel, or opened up a ticket? I would like to know the solution as well :)
 

haze

Well-Known Member
Dec 21, 2001
1,550
3
318
Any chance you've rolled back a previous exim.conf or any other exim config file from a backup previous to installing clam ? Have you double checked the configuration settings to make sure everything is still in place ? Perhaps try uninstalling the plugin then re-installing it to see if that sorts it out ? If so, its probably the config got lost somewhere.
 

NNNils

Well-Known Member
Sep 17, 2002
580
0
166
I believe in the config file comments there is some explanation about why some archives can't be scanned. It has something to do with licensing.
 

mydomain

Well-Known Member
Aug 10, 2003
138
0
166
It wasnt happening for just archive files (zip/rar) so it wasnt that and it was configured to scan archives anyway.

We resolved this some time ago now after a reinstall of all the components we put on there so the thread can be closed. Thanks for your ideas and for responding.