The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

clamd -- WHM 11.40

Discussion in 'General Discussion' started by mtindor, Dec 4, 2013.

  1. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I noticed that since I upgraded my systems from 11.38 to 11.40 this morning, clamd was no longer logging to /var/log/clamd.log as I had previously configured it to do.

    As it turns out, clamd is now an RPM distributed by cPanel, and it uses /usr/local/cpanel/3rdparty/etc/clamd.conf for configuration rather than /etc/clamd.conf.

    So I had to edit /usr/local/cpanel/3rdparty/etc/clamd.conf to turn on my logging and log clean scans, which is my preference.

    If anyone else logs clamd, they might want to read this and configure clamd.conf from the new location. Of course, I don't know if /usr/local/cpanel/3rdparty/etc/clamd.conf will be overwritten upon future cPanel updates or not.

    Mike
     
    #1 mtindor, Dec 4, 2013
    Last edited: Dec 4, 2013
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Actually, I was wrong about emails being scanned just fine.

    On three separate servers, clamav/clamd is not scanning my emails. I've got all the logging turned on and log data is being written to /var/log/clamd.log . I can see all of the entries when CXS pipes files through for scanning. But there is no sign of a single email being scanned by clamav, on three servers, since the time I upgraded them to 11.40.

    mike
     
  3. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    clamd.conf should be marked as a conf file, meaning new versions of the clamav RPM will not overwrite your changes.

    As for your other issue I suggest opening a support ticket.
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Done -- Ticket 4413109

    Mike
     
    #4 mtindor, Dec 5, 2013
    Last edited: Dec 5, 2013
  5. tkg

    tkg Member

    Joined:
    Jul 17, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Be sure to check the scanning options in the Exim Configuration Manager. (Basic Editor tab under the Security tab.)

    When my WHM updated to 11.40, the options for "Scan messages for malware from authenticated senders (exiscan)" and "Scan outgoing messages for malware" had reverted to the default values (Off). Turning these on solved my problem.
     
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,281
    Likes Received:
    37
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Thanks. On my servers, most of them had that disabled [always]. Incoming mail from outside sources is supposed to be scanned regardless. On one server that I hadn't already fixed [by resetting the Exim Config], these settings were already on. And disabling/re-enabling the didn't help. But, that particular server was the one server that I didn't have ClamAVConnector installed on. When I installed ClamAVConnector and then disabled those settings [didnt even have to re-enable them], it fixed the issue in exim.conf and incoming messages were being scanned again.

    I think your suggestion is the right suggestion though, as long as somebody already has ClamAVConnector installed. If they don't, disabling/renabling the options you mentioned in Exim Configuration Manager probably won't fix things.

    Mike
     
  7. nibb

    nibb Well-Known Member

    Joined:
    Mar 22, 2008
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Did you resolved this?

    I thought incoming emails where scanned by default but I just found allot of Trojan in users mail folders, if ClamAV was scanning incoming email, they should be instead in the quarantine folders.

    In the basic security settings in Exim they are both OFF and it says that is the default setting, because I assume like it says there, that is for email senders, this means message send by users.

    I´m talking here about emails receiving by users, they have viruses in their inboxes with a manual scan its detected. Should not ClamAV be removing this automatically instead of having to do this manually?

    It would be nice to have some testing, how we can actually test if Exim is actually scanning incoming emails. I suspect some of customers are actually getting infected because of this.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can send the EICAR test file to an email address on your server to see if ClamAV detects it as a virus. More information on this test file is available at:

    EICAR test file - Wikipedia, the free encyclopedia

    Thank you.
     
  9. nibb

    nibb Well-Known Member

    Joined:
    Mar 22, 2008
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    I will, how about this options in the Exim editor that are off by default?

    I read here in the forums as well some people asking for activating incoming mail scanning, other replies pointed them to activate the same options mentioned here in this post, but if I read correctly this are for outbound emails, emails that users are sending, not incoming, so the information some users are giving is false?

    Just read someones reply here above my own:

    "When my WHM updated to 11.40, the options for "Scan messages for malware from authenticated senders (exiscan)" and "Scan outgoing messages for malware" had reverted to the default values (Off). Turning these on solved my problem."

    As far as I see this terminology means for emails send by users, not incoming emails. It seems users are activating the wrong options because they think incoming emails are not been scanned or are those options indeed for that?
     
    #9 nibb, Feb 13, 2014
    Last edited: Feb 13, 2014
  10. koda

    koda Well-Known Member

    Joined:
    Jan 10, 2014
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    We have a similar issue here.
    We installed the clamavconnector.
    Clamd process is active and so the unix socket unix in /var/clamd
    The exim conf has been rebuilt and the av_scanner = clamd:/var/clamd parameter is there.
    Apparently incoming mails are not scanned, at least nothing in the headers is added to notify the email has been scanned.
    I tried EICAR test with .com .zip (simple zip) and .txt files and all 3 were blocked BUT there is no sign of the scan in the header

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    x.xxxxxx@xxxxxx.net
    SMTP error from remote mail server after end of data:
    host mail.xxxxxx.net [xx.xx.68.157]: 550-This message contains a virus or other harmful content
    550 (Eicar-Test-Signature)

    I tryed with a .src virus but I received it without issues.

    How can we be sure clamav is working with inbound mails? SHouldn't it add headers?

    Thanks as always for your kind support
     
    #10 koda, Feb 14, 2014
    Last edited: Feb 14, 2014
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    The two options you are referring to are under the "Security" tab in "WHM Home » Service Configuration » Exim Configuration Manager":

    Scan messages for malware from authenticated senders (exiscan)

    Per it's description:

    If you have the ClamAVconnector plugin installed, messages from authenticated senders are not scanned until you enable this option. It is recommended that you scan mail for authenticated senders when possible to reduce the risk of viruses spreading inside your network.


    Scan outgoing messages for malware

    Per it's description:

    If you have the ClamAVconnector plugin installed, enabling this option will reject mail bound for non-local domains that test positive for malware.

    Thus, the second option is for outgoing email, and the first option applies to a certain type of incoming email. As you mentioned, all other incoming messages should already be scanned by ClamAV by default without having to enable either of these options. I suggest opening a support ticket using the link in my signature if you are experiencing issues with ClamAV that you want us to investigate.

    Thank you.
     
  12. koda

    koda Well-Known Member

    Joined:
    Jan 10, 2014
    Messages:
    57
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    If ClamAVconnector is enabled and working as intended should it add its own header to notify the e-mail has been scanned to incoming email?

    Do you think the delivery notification we received when attemping to send EICAR test "host mail.xxxxxx.net [xx.xx.68.157]: 550-This message contains a virus or other harmful content 550 (Eicar-Test-Signature)" was issued by ClamAv? I'm asking because again we don't find added header in "legit" emails and a virus I attempted to send to the server (with .scr extension) was delivered.

    About the "Scan messages for malware from authenticated senders (exiscan)" you mentioned above that is for "authenticated senders" could you clarify a bit how this would apply to inbound emails?

    Thank you in advance Michael
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    This is not the default behavior, but you could likely setup a custom ACL rule to implement something like this if you prefer.

    That message does indicate that ClamAV blocked the test virus. It's possible that ClamAV might not detect viruses in all archives or extensions. You may want to consider blocking all SCR extensions if these pose a problem.

    Authenticated sender implies the email address has been authenticated on the system (someone successfully connected to your server with it's username and password).

    Thank you.
     
  14. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    This doesn't appear to always be true. I just noticed my clamav was no longer logging and the /usr/local/cpanel/3rdparty/etc/clamd.conf had been overwritten after I upgraded from 11.42.1.23 to 11.44.0.30

    Maybe this was because some new settings needed to be added on upgrade, but perhaps it would be best to leave that conf there by default and also make use of one in /etc to override any settings for customization so settings aren't lost when updating.
     
Loading...

Share This Page