clamd -- WHM 11.40

[mtindor]

I noticed that since I upgraded my systems from 11.38 to 11.40 this morning, clamd was no longer logging to /var/log/clamd.log as I had previously configured it to do.

As it turns out, clamd is now an RPM distributed by cPanel, and it uses /usr/local/cpanel/3rdparty/etc/clamd.conf for configuration rather than /etc/clamd.conf.

So I had to edit /usr/local/cpanel/3rdparty/etc/clamd.conf to turn on my logging and log clean scans, which is my preference.

If anyone else logs clamd, they might want to read this and configure clamd.conf from the new location. Of course, I don't know if /usr/local/cpanel/3rdparty/etc/clamd.conf will be overwritten upon future cPanel updates or not.

Mike

 

[mtindor]

Actually, I was wrong about emails being scanned just fine.

On three separate servers, clamav/clamd is not scanning my emails. I've got all the logging turned on and log data is being written to /var/log/clamd.log . I can see all of the entries when CXS pipes files through for scanning. But there is no sign of a single email being scanned by clamav, on three servers, since the time I upgraded them to 11.40.

mike

 

[cPanelKenneth]

Of course, I don't know if /usr/local/cpanel/3rdparty/etc/clamd.conf will be overwritten upon future cPanel updates or not.

Mike

clamd.conf should be marked as a conf file, meaning new versions of the clamav RPM will not overwrite your changes.

As for your other issue I suggest opening a support ticket.

 

[mtindor]

clamd.conf should be marked as a conf file, meaning new versions of the clamav RPM will not overwrite your changes.

As for your other issue I suggest opening a support ticket.

Done -- Ticket 4413109

Mike

 

[tkg]

Actually, I was wrong about emails being scanned just fine.

On three separate servers, clamav/clamd is not scanning my emails. I've got all the logging turned on and log data is being written to /var/log/clamd.log . I can see all of the entries when CXS pipes files through for scanning. But there is no sign of a single email being scanned by clamav, on three servers, since the time I upgraded them to 11.40.

mike

Be sure to check the scanning options in the Exim Configuration Manager. (Basic Editor tab under the Security tab.)

When my WHM updated to 11.40, the options for "Scan messages for malware from authenticated senders (exiscan)" and "Scan outgoing messages for malware" had reverted to the default values (Off). Turning these on solved my problem.

 

[mtindor]

Be sure to check the scanning options in the Exim Configuration Manager. (Basic Editor tab under the Security tab.)

When my WHM updated to 11.40, the options for "Scan messages for malware from authenticated senders (exiscan)" and "Scan outgoing messages for malware" had reverted to the default values (Off). Turning these on solved my problem.

Thanks. On my servers, most of them had that disabled [always]. Incoming mail from outside sources is supposed to be scanned regardless. On one server that I hadn't already fixed [by resetting the Exim Config], these settings were already on. And disabling/re-enabling the didn't help. But, that particular server was the one server that I didn't have ClamAVConnector installed on. When I installed ClamAVConnector and then disabled those settings [didnt even have to re-enable them], it fixed the issue in exim.conf and incoming messages were being scanned again.

I think your suggestion is the right suggestion though, as long as somebody already has ClamAVConnector installed. If they don't, disabling/renabling the options you mentioned in Exim Configuration Manager probably won't fix things.

Mike

 

[nibb]

Did you resolved this?

I thought incoming emails where scanned by default but I just found allot of Trojan in users mail folders, if ClamAV was scanning incoming email, they should be instead in the quarantine folders.

In the basic security settings in Exim they are both OFF and it says that is the default setting, because I assume like it says there, that is for email senders, this means message send by users.

I´m talking here about emails receiving by users, they have viruses in their inboxes with a manual scan its detected. Should not ClamAV be removing this automatically instead of having to do this manually?

It would be nice to have some testing, how we can actually test if Exim is actually scanning incoming emails. I suspect some of customers are actually getting infected because of this.

 

[cPanelMichael]

It would be nice to have some testing, how we can actually test if Exim is actually scanning incoming emails. I suspect some of customers are actually getting infected because of this.

You can send the EICAR test file to an email address on your server to see if ClamAV detects it as a virus. More information on this test file is available at:

EICAR test file - Wikipedia, the free encyclopedia

Thank you.

 

[nibb]

You can send the EICAR test file to an email address on your server to see if ClamAV detects it as a virus. More information on this test file is available at:

EICAR test file - Wikipedia, the free encyclopedia

Thank you.

I will, how about this options in the Exim editor that are off by default?

I read here in the forums as well some people asking for activating incoming mail scanning, other replies pointed them to activate the same options mentioned here in this post, but if I read correctly this are for outbound emails, emails that users are sending, not incoming, so the information some users are giving is false?

Just read someones reply here above my own:

"When my WHM updated to 11.40, the options for "Scan messages for malware from authenticated senders (exiscan)" and "Scan outgoing messages for malware" had reverted to the default values (Off). Turning these on solved my problem."

As far as I see this terminology means for emails send by users, not incoming emails. It seems users are activating the wrong options because they think incoming emails are not been scanned or are those options indeed for that?

 

[koda]

We have a similar issue here.
We installed the clamavconnector.
Clamd process is active and so the unix socket unix in /var/clamd
The exim conf has been rebuilt and the av_scanner = clamd:/var/clamd parameter is there.
Apparently incoming mails are not scanned, at least nothing in the headers is added to notify the email has been scanned.
I tried EICAR test with .com .zip (simple zip) and .txt files and all 3 were blocked BUT there is no sign of the scan in the header

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]
SMTP error from remote mail server after end of data:
host mail.xxxxxx.net [xx.xx.68.157]: 550-This message contains a virus or other harmful content
550 (Eicar-Test-Signature)

I tryed with a .src virus but I received it without issues.

How can we be sure clamav is working with inbound mails? SHouldn't it add headers?

Thanks as always for your kind support

 

[cPanelMichael]

As far as I see this terminology means for emails send by users, not incoming emails. It seems users are activating the wrong options because they think incoming emails are not been scanned or are those options indeed for that?

The two options you are referring to are under the "Security" tab in "WHM Home » Service Configuration » Exim Configuration Manager":

Scan messages for malware from authenticated senders (exiscan)

Per it's description:

If you have the ClamAVconnector plugin installed, messages from authenticated senders are not scanned until you enable this option. It is recommended that you scan mail for authenticated senders when possible to reduce the risk of viruses spreading inside your network.

Scan outgoing messages for malware

Per it's description:

If you have the ClamAVconnector plugin installed, enabling this option will reject mail bound for non-local domains that test positive for malware.

Thus, the second option is for outgoing email, and the first option applies to a certain type of incoming email. As you mentioned, all other incoming messages should already be scanned by ClamAV by default without having to enable either of these options. I suggest opening a support ticket using the link in my signature if you are experiencing issues with ClamAV that you want us to investigate.

Thank you.

 

[koda]

If ClamAVconnector is enabled and working as intended should it add its own header to notify the e-mail has been scanned to incoming email?

Do you think the delivery notification we received when attemping to send EICAR test "host mail.xxxxxx.net [xx.xx.68.157]: 550-This message contains a virus or other harmful content 550 (Eicar-Test-Signature)" was issued by ClamAv? I'm asking because again we don't find added header in "legit" emails and a virus I attempted to send to the server (with .scr extension) was delivered.

About the "Scan messages for malware from authenticated senders (exiscan)" you mentioned above that is for "authenticated senders" could you clarify a bit how this would apply to inbound emails?

Thank you in advance Michael

 

[cPanelMichael]

If ClamAVconnector is enabled and working as intended should it add its own header to notify the e-mail has been scanned to incoming email?

This is not the default behavior, but you could likely setup a custom ACL rule to implement something like this if you prefer.

Do you think the delivery notification we received when attemping to send EICAR test "host mail.xxxxxx.net [xx.xx.68.157]: 550-This message contains a virus or other harmful content 550 (Eicar-Test-Signature)" was issued by ClamAv? I'm asking because again we don't find added header in "legit" emails and a virus I attempted to send to the server (with .scr extension) was delivered.

That message does indicate that ClamAV blocked the test virus. It's possible that ClamAV might not detect viruses in all archives or extensions. You may want to consider blocking all SCR extensions if these pose a problem.

About the "Scan messages for malware from authenticated senders (exiscan)" you mentioned above that is for "authenticated senders" could you clarify a bit how this would apply to inbound emails?

Authenticated sender implies the email address has been authenticated on the system (someone successfully connected to your server with it's username and password).

Thank you.

 

[kdean]

clamd.conf should be marked as a conf file, meaning new versions of the clamav RPM will not overwrite your changes.

This doesn't appear to always be true. I just noticed my clamav was no longer logging and the /usr/local/cpanel/3rdparty/etc/clamd.conf had been overwritten after I upgraded from 11.42.1.23 to 11.44.0.30

Maybe this was because some new settings needed to be added on upgrade, but perhaps it would be best to leave that conf there by default and also make use of one in /etc to override any settings for customization so settings aren't lost when updating.