The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

clamav lets in massive number of infected files

Discussion in 'E-mail Discussions' started by ebizindia, Aug 6, 2010.

  1. ebizindia

    ebizindia Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    72
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Kolkata, India
    cPanel Access Level:
    Root Administrator
    Hi

    I have been using clamav on my cpanel server for a long time with moderate success.

    However I am finding that a massive number of emails with Trojan attachments (.zip mostly) are slipping in without getting caught.

    The sender IPs are all different, so we cannot blacklist anyone safely and effectively.

    Any other clues to make Clamav work better?

    Arun
     
  2. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Are you sure your clamav is running ?
    http://forums.cpanel.net/f43/you-sure-your-clamav-installed-correctly-161613.html
     
  3. hermit

    hermit Active Member

    Joined:
    Sep 22, 2004
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    8
    LOTS of zip file viruses getting through.

    I installed clamconnector. Was a new install and 'forgot' to put it on the new box. Is zlib used for this?

    I get the following:

    zlib version checking was disabled. zlib versions <= 1.2.1 have a known security vulnerability
    See zlib Home Site for more information


    Yet:
    Excluding Packages in global exclude list
    Finished
    Setting up Install Process
    Package zlib-1.2.3-3.x86_64 already installed and latest version
    Package zlib-1.2.3-3.i386 already installed and latest version
    Nothing to do

    Is there some place I can just manually enable the check?

    Thanks.
     
  4. hermit

    hermit Active Member

    Joined:
    Sep 22, 2004
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    8
    same here

    I asked a question but never got a response back. Clamconnector incorrectly says I have the wrong version of something. Zlib or something.
     
  5. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I do not see an immediate problem with the output that you have provided.

    For testing and verification, have you attempted to execute "clamscan" manually to scan compressed archives?

    You may refer to the clamscan manual "man" page and help detail for usage information:
    Code:
    # man clamscan
    # clamscan --help
    Is ClamAV installed via RPM (precompiled binary), via ClamAVconnector (source-compiled), or both?

    Via root SSH access, please provide output from the following command:
    Code:
    # rpm -qa --qf "%{name}-%{version}-%{release}.%{arch}\n" | grep -i "clam" | sort
     
  6. hermit

    hermit Active Member

    Joined:
    Sep 22, 2004
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    8
    It returns nothing. I went to the clam connector install directory and did a make and make install to get freshclam working. The only thing installed for freshclam was a symbolic link that pointed to nowhere.

    The problem remains that I get lots of zip viruses every day.

    Clamscan seems to work:
    ---------- SCAN SUMMARY -----------
    Known viruses: 813690
    Engine version: 0.96.1
    Scanned directories: 0
    Scanned files: 1
    Infected files: 0
    Data scanned: 0.00 MB
    Data read: 0.00 MB (ratio 0.00:1)
    Time: 6.050 sec (0 m 6 s)

    The only indications of clam in my exim logs are:

    root@cp [/home/oooc]# cat /var/log/exim_mainlog |grep clamav
    2010-08-08 17:10:02 cwd=/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1 2 args: /usr/sbin/exim -bV
    2010-08-08 17:10:02 cwd=/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1 4 args: /usr/sbin/exim -bV -C /etc/exim.conf.buildtest.work.7kqK4pwCP_LkZ3t3

    This seems to correspond to the time I installed/reinstalled.

    Thanks
     
  7. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Via root SSH access, please try the following command to help locate relevant entries:
    Code:
    # zgrep -Hn "This message contains a virus or other harmful content" /var/log/exim_rejectlog*
    The search terms seen above, that of the relevant reject message, was obtained from the following output while searching the Exim configuration file (at "/etc/exim.conf"):
    Code:
    # egrep -Hn "demime|malware" /etc/exim.conf
    /etc/exim.conf:682:deny message = This message contains a virus or other harmful content ($malware_name)
    /etc/exim.conf:683:    malware = */defer_ok
    /etc/exim.conf:684:    demime = *
     
  8. hermit

    hermit Active Member

    Joined:
    Sep 22, 2004
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    8
    missing from exim.conf

    OK. None of this seems to have been added to my exim.conf by clamconnector.
     
  9. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    What is the full cPanel version number of the system?
    Code:
    # cat /usr/local/cpanel/version && echo
     
  10. hermit

    hermit Active Member

    Joined:
    Sep 22, 2004
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    8
    thanks



    11.25.0-release_45750
     
  11. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Using the latest cPanel RELEASE build I installed the WHM plug-in, ClamAVconnector, and verified the expected entries are properly setup in the Exim configuration file, at /etc/exim.conf; I then also verified that the entries still exist after resetting the Exim configuration:
    Code:
    # egrep -Hn "demime|malware" /etc/exim.conf
    /etc/exim.conf:533:deny message = This message contains a virus or other harmful content ($malware_name)
    /etc/exim.conf:534:    malware = */defer_ok
    /etc/exim.conf:535:    demime = *
    
    # grep '' /etc/redhat-release /var/cpanel/envtype /usr/local/cpanel/version
    /etc/redhat-release:CentOS release 5.5 (Final)
    /var/cpanel/envtype:vmware
    /usr/local/cpanel/version:11.25.0-RELEASE_46156
    I recommend performing the following steps in attempt to correct a broken Exim configuration where it is not properly using ClamAV:
    1. Force a cPanel re-install and update to the latest build:
      Code:
      # /scripts/upcp --force
    2. Force a re-install of Exim:
      Code:
      # /scripts/eximup --force
    3. Uninstall ClamAVconnector plug-in via WHM:
    4. Reinstall ClamAVconnector plug-in via WHM:
    5. Reset Exim Configuration via WHM:
     
    #11 cPanelDon, Aug 16, 2010
    Last edited: Aug 16, 2010
  12. hermit

    hermit Active Member

    Joined:
    Sep 22, 2004
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    8
    Not looking good.

    I'll know for sure tomorrow if I get my usual compliments of zip viruses, but:

    root@cp [/home/oooc]# egrep -Hn "demime|malware" /etc/exim.conf
    root@cp [/home/oooc]#


    Also, since freshclam was broken last time I tried I figured I'd give that a test. I got:
    root@cp [/home/oooc]# /usr/bin/freshclam
    /usr/bin/freshclam: error while loading shared libraries: libclamav.so.6: cannot open shared object file: No such file or directory


    root@cp [/home/oooc]# grep '' /etc/redhat-release /var/cpanel/envtype /usr/local/cpanel/version
    /etc/redhat-release:CentOS release 5.5 (Final)
    /var/cpanel/envtype:standard
    /usr/local/cpanel/version:11.25.0-RELEASE_46156
     
  13. hermit

    hermit Active Member

    Joined:
    Sep 22, 2004
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    8
    nope

    Still nothing in the /etc/exim.conf file and no viruses stopped last night. There was nothing like what you showed before I reset the exim.conf either.
     
    #13 hermit, Aug 17, 2010
    Last edited: Aug 17, 2010
  14. hermit

    hermit Active Member

    Joined:
    Sep 22, 2004
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    8
    just did a reinstall

    Found this in the logs:

    make[1]: Leaving directory `/usr/local/cpanel/modules-install/clamavconnector-Linux-x86_64/clamav-0.96.1/libclamav'
    Unable to locate clamd

    Anyhow, I just finished installing using the install script on the command line and it seems to have worked. I can grep clamd out of a ps and netstat command. Grep also pulled some of the config you have listed before.
     
  15. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    If persistent difficulty is encountered during a normal uninstall and then fresh install -- strictly using WHM -- please consider submitting a support request so that we may assist with investigating the issue.
     
  16. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    We have the same problem on our mail firewall server(also use clamav). When you submit the virus sample to clamav(Clam AntiVirus), sometimes it's not even detected. Even the virus was detected in newer updates, you will find that those virus had bypassed your server a few days ago. The support said the virus is mutating faster than updates can be made. So, there's nothing we can do. I had reported the problem over 1 week, but I haven't got a solution. They said they're actively working on the virus issue. ;)
     
  17. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Thank you for providing the additional insight regarding ClamAV and its effectiveness in the described special circumstances. To clarify my understanding, was it ClamAV support that was contacted when reporting the issue?

    In comparison with what you have noted, I believe the issue reported by hermit is different in that it appeared to stem from difficulty compiling ClamAV when installing via ClamAVconnector in WHM, subsequently causing the needed Exim configuration entries to not exist, and thereby leading to ClamAV not being used to scan incoming e-mails.
     
  18. hermit

    hermit Active Member

    Joined:
    Sep 22, 2004
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    8
    Correct. Now my 'problem' is I'm getting a ton of .html's but mainly forwarded from another account that I might have white listed. I added .html to the /etc/antivirus.exim but I still got them. I'm waiting to see if they stop now ...... My motto for quite a while has been, "Shoot more spammers." ;) These guys are all related.
     
    cPanelDon likes this.
  19. hermit

    hermit Active Member

    Joined:
    Sep 22, 2004
    Messages:
    35
    Likes Received:
    1
    Trophy Points:
    8
    Doing a cPanel upgrade yesterday and it barfed at 90% on a 'bad clam'. ;) I uninstalled clam and redid the upgrade followed by a reinstall of clam. This morning I get: /bin/sh: /usr/bin/freshclam: No such file or directory.

    I don't remember which script I ran to install clam from the command line. /scripts/? Certainly doesn't seem obvious since ls *clam* doesn't give me a good hint......
     
  20. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Please submit a support request for this issue that we may assist with investigation; direct access is needed in order to properly inspect the circumstances to form an accurate diagnosis and subsequent resolution. When available, please let me know your ticket ID number so that we may follow-up internally.
     
Loading...

Share This Page