clamav lets in massive number of infected files

ebizindia

Well-Known Member
Oct 13, 2005
105
4
168
Kolkata, India
cPanel Access Level
Root Administrator
Hi

I have been using clamav on my cpanel server for a long time with moderate success.

However I am finding that a massive number of emails with Trojan attachments (.zip mostly) are slipping in without getting caught.

The sender IPs are all different, so we cannot blacklist anyone safely and effectively.

Any other clues to make Clamav work better?

Arun
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
Hi

I have been using clamav on my cpanel server for a long time with moderate success.

However I am finding that a massive number of emails with Trojan attachments (.zip mostly) are slipping in without getting caught.

The sender IPs are all different, so we cannot blacklist anyone safely and effectively.

Any other clues to make Clamav work better?

Arun
Are you sure your clamav is running ?
http://forums.cpanel.net/f43/you-sure-your-clamav-installed-correctly-161613.html
 

hermit

Active Member
Sep 22, 2004
35
1
158
LOTS of zip file viruses getting through.

I installed clamconnector. Was a new install and 'forgot' to put it on the new box. Is zlib used for this?

I get the following:

zlib version checking was disabled. zlib versions <= 1.2.1 have a known security vulnerability
See zlib Home Site for more information


Yet:
Excluding Packages in global exclude list
Finished
Setting up Install Process
Package zlib-1.2.3-3.x86_64 already installed and latest version
Package zlib-1.2.3-3.i386 already installed and latest version
Nothing to do

Is there some place I can just manually enable the check?

Thanks.
 

hermit

Active Member
Sep 22, 2004
35
1
158
same here

Hi

I have been using clamav on my cpanel server for a long time with moderate success.

However I am finding that a massive number of emails with Trojan attachments (.zip mostly) are slipping in without getting caught.

The sender IPs are all different, so we cannot blacklist anyone safely and effectively.

Any other clues to make Clamav work better?

Arun
I asked a question but never got a response back. Clamconnector incorrectly says I have the wrong version of something. Zlib or something.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
I installed clamconnector. Was a new install and 'forgot' to put it on the new box. Is zlib used for this?

I get the following:

zlib version checking was disabled. zlib versions <= 1.2.1 have a known security vulnerability
See zlib Home Site for more information


Yet:
Excluding Packages in global exclude list
Finished
Setting up Install Process
Package zlib-1.2.3-3.x86_64 already installed and latest version
Package zlib-1.2.3-3.i386 already installed and latest version
Nothing to do

Is there some place I can just manually enable the check?

Thanks.
I do not see an immediate problem with the output that you have provided.

I asked a question but never got a response back. Clamconnector incorrectly says I have the wrong version of something. Zlib or something.
For testing and verification, have you attempted to execute "clamscan" manually to scan compressed archives?

You may refer to the clamscan manual "man" page and help detail for usage information:
Code:
# man clamscan
# clamscan --help
Is ClamAV installed via RPM (precompiled binary), via ClamAVconnector (source-compiled), or both?

Via root SSH access, please provide output from the following command:
Code:
# rpm -qa --qf "%{name}-%{version}-%{release}.%{arch}\n" | grep -i "clam" | sort
 

hermit

Active Member
Sep 22, 2004
35
1
158
I do not see an immediate problem with the output that you have provided.



For testing and verification, have you attempted to execute "clamscan" manually to scan compressed archives?

You may refer to the clamscan manual "man" page and help detail for usage information:
Code:
# man clamscan
# clamscan --help
Is ClamAV installed via RPM (precompiled binary), via ClamAVconnector (source-compiled), or both?

Via root SSH access, please provide output from the following command:
Code:
# rpm -qa --qf "%{name}-%{version}-%{release}.%{arch}\n" | grep -i "clam" | sort
It returns nothing. I went to the clam connector install directory and did a make and make install to get freshclam working. The only thing installed for freshclam was a symbolic link that pointed to nowhere.

The problem remains that I get lots of zip viruses every day.

Clamscan seems to work:
---------- SCAN SUMMARY -----------
Known viruses: 813690
Engine version: 0.96.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 6.050 sec (0 m 6 s)

The only indications of clam in my exim logs are:

[email protected] [/home/oooc]# cat /var/log/exim_mainlog |grep clamav
2010-08-08 17:10:02 cwd=/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1 2 args: /usr/sbin/exim -bV
2010-08-08 17:10:02 cwd=/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1 4 args: /usr/sbin/exim -bV -C /etc/exim.conf.buildtest.work.7kqK4pwCP_LkZ3t3

This seems to correspond to the time I installed/reinstalled.

Thanks
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
It returns nothing. I went to the clam connector install directory and did a make and make install to get freshclam working. The only thing installed for freshclam was a symbolic link that pointed to nowhere.

The problem remains that I get lots of zip viruses every day.

Clamscan seems to work:
---------- SCAN SUMMARY -----------
Known viruses: 813690
Engine version: 0.96.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 6.050 sec (0 m 6 s)

The only indications of clam in my exim logs are:

[email protected] [/home/oooc]# cat /var/log/exim_mainlog |grep clamav
2010-08-08 17:10:02 cwd=/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1 2 args: /usr/sbin/exim -bV
2010-08-08 17:10:02 cwd=/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1 4 args: /usr/sbin/exim -bV -C /etc/exim.conf.buildtest.work.7kqK4pwCP_LkZ3t3

This seems to correspond to the time I installed/reinstalled.

Thanks
Via root SSH access, please try the following command to help locate relevant entries:
Code:
# zgrep -Hn "This message contains a virus or other harmful content" /var/log/exim_rejectlog*
The search terms seen above, that of the relevant reject message, was obtained from the following output while searching the Exim configuration file (at "/etc/exim.conf"):
Code:
# egrep -Hn "demime|malware" /etc/exim.conf
/etc/exim.conf:682:deny message = This message contains a virus or other harmful content ($malware_name)
/etc/exim.conf:683:    malware = */defer_ok
/etc/exim.conf:684:    demime = *
 

hermit

Active Member
Sep 22, 2004
35
1
158
missing from exim.conf

Via root SSH access, please try the following command to help locate relevant entries:
Code:
# zgrep -Hn "This message contains a virus or other harmful content" /var/log/exim_rejectlog*
The search terms seen above, that of the relevant reject message, was obtained from the following output while searching the Exim configuration file (at "/etc/exim.conf"):
Code:
# egrep -Hn "demime|malware" /etc/exim.conf
/etc/exim.conf:682:deny message = This message contains a virus or other harmful content ($malware_name)
/etc/exim.conf:683:    malware = */defer_ok
/etc/exim.conf:684:    demime = *
OK. None of this seems to have been added to my exim.conf by clamconnector.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
11.25.0-release_45750
Using the latest cPanel RELEASE build I installed the WHM plug-in, ClamAVconnector, and verified the expected entries are properly setup in the Exim configuration file, at /etc/exim.conf; I then also verified that the entries still exist after resetting the Exim configuration:
Code:
# egrep -Hn "demime|malware" /etc/exim.conf
/etc/exim.conf:533:deny message = This message contains a virus or other harmful content ($malware_name)
/etc/exim.conf:534:    malware = */defer_ok
/etc/exim.conf:535:    demime = *

# grep '' /etc/redhat-release /var/cpanel/envtype /usr/local/cpanel/version
/etc/redhat-release:CentOS release 5.5 (Final)
/var/cpanel/envtype:vmware
/usr/local/cpanel/version:11.25.0-RELEASE_46156
I recommend performing the following steps in attempt to correct a broken Exim configuration where it is not properly using ClamAV:
  1. Force a cPanel re-install and update to the latest build:
    Code:
    # /scripts/upcp --force
  2. Force a re-install of Exim:
    Code:
    # /scripts/eximup --force
  3. Uninstall ClamAVconnector plug-in via WHM:
  4. Reinstall ClamAVconnector plug-in via WHM:
  5. Reset Exim Configuration via WHM:
 
Last edited:

hermit

Active Member
Sep 22, 2004
35
1
158
Not looking good.

I'll know for sure tomorrow if I get my usual compliments of zip viruses, but:

[email protected] [/home/oooc]# egrep -Hn "demime|malware" /etc/exim.conf
[email protected] [/home/oooc]#


Also, since freshclam was broken last time I tried I figured I'd give that a test. I got:
[email protected] [/home/oooc]# /usr/bin/freshclam
/usr/bin/freshclam: error while loading shared libraries: libclamav.so.6: cannot open shared object file: No such file or directory


[email protected] [/home/oooc]# grep '' /etc/redhat-release /var/cpanel/envtype /usr/local/cpanel/version
/etc/redhat-release:CentOS release 5.5 (Final)
/var/cpanel/envtype:standard
/usr/local/cpanel/version:11.25.0-RELEASE_46156
 

hermit

Active Member
Sep 22, 2004
35
1
158
nope

Still nothing in the /etc/exim.conf file and no viruses stopped last night. There was nothing like what you showed before I reset the exim.conf either.
 
Last edited:

hermit

Active Member
Sep 22, 2004
35
1
158
just did a reinstall

Found this in the logs:

make[1]: Leaving directory `/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1/libclamav'
Unable to locate clamd

Anyhow, I just finished installing using the install script on the command line and it seems to have worked. I can grep clamd out of a ps and netstat command. Grep also pulled some of the config you have listed before.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Found this in the logs:

make[1]: Leaving directory `/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1/libclamav'
Unable to locate clamd

Anyhow, I just finished installing using the install script on the command line and it seems to have worked. I can grep clamd out of a ps and netstat command. Grep also pulled some of the config you have listed before.
If persistent difficulty is encountered during a normal uninstall and then fresh install -- strictly using WHM -- please consider submitting a support request so that we may assist with investigating the issue.
 

garconcn

Well-Known Member
Oct 29, 2009
159
14
68
We have the same problem on our mail firewall server(also use clamav). When you submit the virus sample to clamav(Clam AntiVirus), sometimes it's not even detected. Even the virus was detected in newer updates, you will find that those virus had bypassed your server a few days ago. The support said the virus is mutating faster than updates can be made. So, there's nothing we can do. I had reported the problem over 1 week, but I haven't got a solution. They said they're actively working on the virus issue. ;)
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
We have the same problem on our mail firewall server(also use clamav). When you submit the virus sample to clamav(Clam AntiVirus), sometimes it's not even detected. Even the virus was detected in newer updates, you will find that those virus had bypassed your server a few days ago. The support said the virus is mutating faster than updates can be made. So, there's nothing we can do. I had reported the problem over 1 week, but I haven't got a solution. They said they're actively working on the virus issue. ;)
Thank you for providing the additional insight regarding ClamAV and its effectiveness in the described special circumstances. To clarify my understanding, was it ClamAV support that was contacted when reporting the issue?

In comparison with what you have noted, I believe the issue reported by hermit is different in that it appeared to stem from difficulty compiling ClamAV when installing via ClamAVconnector in WHM, subsequently causing the needed Exim configuration entries to not exist, and thereby leading to ClamAV not being used to scan incoming e-mails.
 

hermit

Active Member
Sep 22, 2004
35
1
158
Thank you for providing the additional insight regarding ClamAV and its effectiveness in the described special circumstances. To clarify my understanding, was it ClamAV support that was contacted when reporting the issue?

In comparison with what you have noted, I believe the issue reported by hermit is different in that it appeared to stem from difficulty compiling ClamAV when installing via ClamAVconnector in WHM, subsequently causing the needed Exim configuration entries to not exist, and thereby leading to ClamAV not being used to scan incoming e-mails.
Correct. Now my 'problem' is I'm getting a ton of .html's but mainly forwarded from another account that I might have white listed. I added .html to the /etc/antivirus.exim but I still got them. I'm waiting to see if they stop now ...... My motto for quite a while has been, "Shoot more spammers." ;) These guys are all related.
 
  • Like
Reactions: cPanelDon

hermit

Active Member
Sep 22, 2004
35
1
158
If persistent difficulty is encountered during a normal uninstall and then fresh install -- strictly using WHM -- please consider submitting a support request so that we may assist with investigating the issue.
Doing a cPanel upgrade yesterday and it barfed at 90% on a 'bad clam'. ;) I uninstalled clam and redid the upgrade followed by a reinstall of clam. This morning I get: /bin/sh: /usr/bin/freshclam: No such file or directory.

I don't remember which script I ran to install clam from the command line. /scripts/? Certainly doesn't seem obvious since ls *clam* doesn't give me a good hint......
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Doing a cPanel upgrade yesterday and it barfed at 90% on a 'bad clam'. ;) I uninstalled clam and redid the upgrade followed by a reinstall of clam. This morning I get: /bin/sh: /usr/bin/freshclam: No such file or directory.

I don't remember which script I ran to install clam from the command line. /scripts/? Certainly doesn't seem obvious since ls *clam* doesn't give me a good hint......
Please submit a support request for this issue that we may assist with investigation; direct access is needed in order to properly inspect the circumstances to form an accurate diagnosis and subsequent resolution. When available, please let me know your ticket ID number so that we may follow-up internally.