Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

ClamAV not filtering incoming mail

Discussion in 'E-mail Discussion' started by Fbarajas, Mar 9, 2019.

Tags:
  1. Fbarajas

    Fbarajas Well-Known Member

    Joined:
    Jul 15, 2004
    Messages:
    50
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Playa del Carmen, Mexico
    Hi! Using CPanel 78.0.16 on CloudLinux 7.6, with ClamAV Version: 0.100.2-1.cp1170

    How can I scan incoming email for malware?

    Spamassassin is installed, but it's not blocking virus.

    Thanks!
     
    #1 Fbarajas, Mar 9, 2019
    Last edited by a moderator: Mar 11, 2019
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    grep your exim_mainlog for the word 'virus'

    You should get multiple lines with content like "Warning: Message has been scanned: no virus or other harmful content was found"

    If those entries exist, then your mail is being scanned, and you may see additional entries like "rejected after DATA: This message contains a virus or other harmful content (Win.Trojan.VBGeneric-6880554-0)"

    You can test to see if your exim is trapping viruses by creating a txt file containing the EICAR test string (search for it using your favourite search engine) and attaching it to an email that you send through your server - you should see a result like "This message contains a virus or other harmful content (Eicar-Test-Signature)" and the message should be rejected.

    Do remember that clam is only as good as its' list of virus signatures, and it often takes a few days to get an update that will detect the latest viruses that other software can detect. If you suspect that have a specific virus or malware file, check it on VirusTotal and see if clamav detects it.

    If your mails are not being scanned, you might want to try uninstalling and then reinstalling your clamav, and/or ensuring that you have followed the instructions at Configure ClamAV Scanner - Version 78 Documentation - cPanel Documentation to configure your clamav for exim.

    Hope this helps
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Fbarajas

    Fbarajas Well-Known Member

    Joined:
    Jul 15, 2004
    Messages:
    50
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Playa del Carmen, Mexico
    OK, I'm doing some tests.

    Do mails from one mail account to another mail account on the same server are scanned for virus?

    I sent the "eicar" signature from one of my accounts on the server to another account (on another domain on the same server) and it seems it was not scanned:

    Code:
    2019-03-09 11:48:55 1h2g5e-0006QL-Vc <= [email protected] H=(servidor.sistec.com.mx) [127.0.0.1]:37996 P=esmtpa A=dovecot_login:[email protected] S=1608 [email protected] T="Prueba de virus 2" for [email protected]
    2019-03-09 11:48:55 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1h2g5e-0006QL-Vc
    2019-03-09 11:48:55 1h2g5e-0006QL-Vc => fernando <[email protected]> R=virtual_user T=dovecot_virtual_delivery C="250 2.0.0 <[email protected]> UIJnAof8g1xnXAAAtqzIjg Saved"
    2019-03-09 11:48:55 1h2g5e-0006QL-Vc Completed
    
    But other mails are indeed beeng scaned by ClamAV:


    Code:
    2019-03-09 12:21:45 1h2gbJ-0005Bj-Np H=p66.mailgun.us [184.173.105.66]:27559 Warning: Message has been scanned: no virus or other harmful content was found
    2019-03-09 12:21:46 1h2gb6-0005AY-Tg H=ccm24.constantcontact.com [208.75.123.132]:41302 Warning: Message has been scanned: no virus or other harmful content was found
    2019-03-09 12:22:20 1h2gc0-0005N0-60 H=(affirm.ocadawa2s.icu) [110.34.192.53]:35203 Warning: Message has been scanned: no virus or other harmful content was found
    
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Fbarajas,

    Try enabling the following option under the Security tab in WHM >> Exim Configuration Manager >> Basic Editor to see if it does what you're looking for:

    Scan messages for malware from authenticated senders (exiscan).

    Thank you.
     
  5. Fbarajas

    Fbarajas Well-Known Member

    Joined:
    Jul 15, 2004
    Messages:
    50
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Playa del Carmen, Mexico
    It was in the "off" (default) option. I changed it to "on", thanks!
     
    cPanelMichael likes this.
  6. Fbarajas

    Fbarajas Well-Known Member

    Joined:
    Jul 15, 2004
    Messages:
    50
    Likes Received:
    3
    Trophy Points:
    158
    Location:
    Playa del Carmen, Mexico
    Still having problems: I'm still receiving lot's of malware. The strange thing is that some virus are NOT stopped by the antivirus... but when I run clamav on my inbox, it detects them as such:

    Code:
    /home/nuestrow/mail/nuestroweb.com/fbarajas/cur/1551891862.M490653P31113.servidor.sistec.com.mx,S=547709,W=555244:2,S: Win.Malware.Lptehw-6879858-0 FOUND
    /home/nuestrow/mail/nuestroweb.com/fbarajas/cur/1551241130.M673041P30272.servidor.sistec.com.mx,S=575107,W=583020:2,S: Win.Malware.Noon-6887768-0 FOUND
    /home/nuestrow/mail/nuestroweb.com/fbarajas/cur/1552153591.M117848P22859.servidor.sistec.com.mx,S=3228,W=3322:2,S: Eicar-Test-Signature FOUND
    
    There's the "eicar-test" I used to test this: It was delivered to my inbox (not stopped by the antivirus), but it is detected if I run clamscan from the command line.

    What else can I try?
     
  7. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    1,088
    Likes Received:
    442
    Trophy Points:
    113
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    You should probably open a support ticket so they can see what might be causing your issue.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Fbarajas,

    The other option to enable under the Security tab in WHM >> Exim Configuration Manager >> Basic Editor is:

    Scan outgoing messages for malware

    I tried to send an email from one local email address to another using Roundcube with the Eicar virus test file attached to the email, and the delivery attempt was rejected at SMTP time. Feel free to open a support ticket if you'd like us to take a closer look.

    Thank you.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice