vasanthkumar621

Registered
Dec 6, 2019
1
0
1
Bangalore
cPanel Access Level
Website Owner
we will bet getting lot of emails with virus attachments like invoice.doc, UPS invoice.doc. we installed ClamAV Antivirus and scan the server every week.
Virus will be detected and destroyed in server. But i would like to know, any cpanel plugin or any software which can help us in scanning attachments, removing virus URL's/ attachments from the email before it reaches user mailbox.
 

Attachments

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,012
762
263
Houston
cPanel Access Level
DataCenter Provider
Hello,

There is a setting within the exim configuration manager which will Automatically filter messages with dangerous attachments - the specific attachments that are filtered are listed as follows: /usr/local/cpanel/etc/exim/sysfilter/options/attachments

Code:
grep "header_content-type" /usr/local/cpanel/etc/exim/sysfilter/options/attachments
if $header_content-type: matches "(?:file)?name=(\"[^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])\")"
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))([\\\\s;]|\\$)"
If you need a realtime scanner you may want to look at products like ConfigServer's MailScanner, one of the several listed here:cPanel App Catalog :: Security
 

keat63

Well-Known Member
Nov 20, 2014
1,499
128
93
cPanel Access Level
Root Administrator
Mailscanner does a half decent job, but it's not free.

Also, it's only as good and ClamAV's signatures, so it's not infallible.

I have 3 lines of defence, ClamAV on the server, a Watchguard Firewall and Norton AV on the clients, but it still takes common sense and vigilance.
 

rpvw

Well-Known Member
Jul 18, 2013
1,100
453
113
UK
cPanel Access Level
Root Administrator
ClamAV should be able to scan incoming (and outgoing if you have switched it on) messages in real time PROVIDED that you are using the maildir mailbox format.

If you are using the mbox mailbox format, you may need to implement significantly more complex solutions using doveadm tools and commands for real time scanning.

Please see Configure ClamAV Scanner - Version 84 Documentation - cPanel Documentation for full details and instructions as to how to implement the service.
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,012
762
263
Houston
cPanel Access Level
DataCenter Provider
ClamAV doesn't do real-time scanning out of the box, it takes some configuration - they do give instructions for this in their documentation here:

This is a fairly new feature though, which is why originally products like mailscanner were leveraged to allow for real time scanning using ClamAV. You'll also find that a lot of malware detection tools use ClamAV's virus signatures - LMD does as well.
 

rpvw

Well-Known Member
Jul 18, 2013
1,100
453
113
UK
cPanel Access Level
Root Administrator
ClamAV doesn't do real-time scanning out of the box
So the behavior as described in the cPanel documentation (My additional highlighting)
ClamAV automatically scans inbound messages through Exim.
However, you must perform additional steps if you wish for ClamAV to scan outbound messages through Exim.
is no longer valid ? I used to see clam scanning inbound and outbound messages as little as 6 months ago - when did this get stopped ?
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
9,012
762
263
Houston
cPanel Access Level
DataCenter Provider
You're right - I'm getting standard ClamAV implementation mixed up with ours. We do integrate ClamAV scanning on inbound mail:


clamav.png

If you wanted to set that up manually you'd have to do it the way I suggested but it shouldn't really be any different as the virus database is the same. One thing to check would be to ensure that Allow mail delivery if malware scanner fails is off if you want to force mail to be scanned - in the event that ClamAV fails to scan an email you won't be notified when utilizing it through the exim configuration.
 
  • Like
Reactions: rpvw

rpvw

Well-Known Member
Jul 18, 2013
1,100
453
113
UK
cPanel Access Level
Root Administrator
One consideration is that ClamAV has never been particularly swift in publishing rules for zero day exploits.

To that end, given that the scan done on exim receiving a mail may well initially pass the mail as being free from viruses, it is important to implement a eg daily scheduled scan, that will have another look at any mails residing in your maildir folders and will make use of any updated virus definitions.

See Configure ClamAV Scanner - Version 84 Documentation - cPanel Documentation for full details.
 
  • Like
Reactions: cPanelLauren