ClamAV not filtering incoming mail

Fbarajas

Well-Known Member
Jul 15, 2004
57
4
158
Playa del Carmen, Mexico
Hi! Using CPanel 78.0.16 on CloudLinux 7.6, with ClamAV Version: 0.100.2-1.cp1170

How can I scan incoming email for malware?

Spamassassin is installed, but it's not blocking virus.

Thanks!
 
Last edited by a moderator:

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
grep your exim_mainlog for the word 'virus'

You should get multiple lines with content like "Warning: Message has been scanned: no virus or other harmful content was found"

If those entries exist, then your mail is being scanned, and you may see additional entries like "rejected after DATA: This message contains a virus or other harmful content (Win.Trojan.VBGeneric-6880554-0)"

You can test to see if your exim is trapping viruses by creating a txt file containing the EICAR test string (search for it using your favourite search engine) and attaching it to an email that you send through your server - you should see a result like "This message contains a virus or other harmful content (Eicar-Test-Signature)" and the message should be rejected.

Do remember that clam is only as good as its' list of virus signatures, and it often takes a few days to get an update that will detect the latest viruses that other software can detect. If you suspect that have a specific virus or malware file, check it on VirusTotal and see if clamav detects it.

If your mails are not being scanned, you might want to try uninstalling and then reinstalling your clamav, and/or ensuring that you have followed the instructions at Configure ClamAV Scanner - Version 78 Documentation - cPanel Documentation to configure your clamav for exim.

Hope this helps
 

Fbarajas

Well-Known Member
Jul 15, 2004
57
4
158
Playa del Carmen, Mexico
OK, I'm doing some tests.

Do mails from one mail account to another mail account on the same server are scanned for virus?

I sent the "eicar" signature from one of my accounts on the server to another account (on another domain on the same server) and it seems it was not scanned:

Code:
2019-03-09 11:48:55 1h2g5e-0006QL-Vc <= [email protected] H=(servidor.sistec.com.mx) [127.0.0.1]:37996 P=esmtpa A=dovecot_login:[email protected] S=1608 [email protected] T="Prueba de virus 2" for [email protected]
2019-03-09 11:48:55 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1h2g5e-0006QL-Vc
2019-03-09 11:48:55 1h2g5e-0006QL-Vc => fernando <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> UIJnAof8g1xnXAAAtqzIjg Saved"
2019-03-09 11:48:55 1h2g5e-0006QL-Vc Completed
But other mails are indeed beeng scaned by ClamAV:


Code:
2019-03-09 12:21:45 1h2gbJ-0005Bj-Np H=p66.mailgun.us [184.173.105.66]:27559 Warning: Message has been scanned: no virus or other harmful content was found
2019-03-09 12:21:46 1h2gb6-0005AY-Tg H=ccm24.constantcontact.com [208.75.123.132]:41302 Warning: Message has been scanned: no virus or other harmful content was found
2019-03-09 12:22:20 1h2gc0-0005N0-60 H=(affirm.ocadawa2s.icu) [110.34.192.53]:35203 Warning: Message has been scanned: no virus or other harmful content was found
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Do mails from one mail account to another mail account on the same server are scanned for virus?
Hello @Fbarajas,

Try enabling the following option under the Security tab in WHM >> Exim Configuration Manager >> Basic Editor to see if it does what you're looking for:

Scan messages for malware from authenticated senders (exiscan).

Thank you.
 

Fbarajas

Well-Known Member
Jul 15, 2004
57
4
158
Playa del Carmen, Mexico
Still having problems: I'm still receiving lot's of malware. The strange thing is that some virus are NOT stopped by the antivirus... but when I run clamav on my inbox, it detects them as such:

Code:
/home/nuestrow/mail/nuestroweb.com/fbarajas/cur/1551891862.M490653P31113.servidor.sistec.com.mx,S=547709,W=555244:2,S: Win.Malware.Lptehw-6879858-0 FOUND
/home/nuestrow/mail/nuestroweb.com/fbarajas/cur/1551241130.M673041P30272.servidor.sistec.com.mx,S=575107,W=583020:2,S: Win.Malware.Noon-6887768-0 FOUND
/home/nuestrow/mail/nuestroweb.com/fbarajas/cur/1552153591.M117848P22859.servidor.sistec.com.mx,S=3228,W=3322:2,S: Eicar-Test-Signature FOUND
There's the "eicar-test" I used to test this: It was delivered to my inbox (not stopped by the antivirus), but it is detected if I run clamscan from the command line.

What else can I try?
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
465
113
UK
cPanel Access Level
Root Administrator
You should probably open a support ticket so they can see what might be causing your issue.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello @Fbarajas,

The other option to enable under the Security tab in WHM >> Exim Configuration Manager >> Basic Editor is:

Scan outgoing messages for malware

I tried to send an email from one local email address to another using Roundcube with the Eicar virus test file attached to the email, and the delivery attempt was rejected at SMTP time. Feel free to open a support ticket if you'd like us to take a closer look.

Thank you.