jmelika
asked on
ClamAV on Postfix having issues scanning .zip attachments (SMTP Filter)
Hello folks,
Our email server is running Exchange 2003 with Symantec AV for Exchange. Exchange is also acting as the SMTP server carrying our MX record. The server, as expected, is spending a lot of CPU and memory on scanning inbound/outbound mail. I decided to dedicate a Gentoo linux running postfix, ClamAV, and Amavis for antivirus and antispam. I am not a Linux guru, so I pretty much followed the instructions here http://www.gentoo.org/doc/en/mailfilter-guide.xml step by step.
After I was finished and made sure everything works, I moved my MX record over to the gentoo server. This server is doing a great job now in scanning and filtering my inbound and outbound mail. Since I'm still in the trial phase, I kept everything running as it was on Exchange, including Symantec AV, etc. I noticed that virus emails are getting scanned and caught by the Gentoo box except the ones with .zip attachments. Those bad boys go through and Symantec then catches them. I don't really like that because I want to eventually turn that off. I ran freshclam to update my virus def and everything is up to date. Not sure what's up here.
Freshclam results:
---------------------
ClamAV update process started at Sat May 7 16:15:17 2005
WARNING: Your ClamAV installation is OUTDATED - please update immediately!
WARNING: Local version: 0.83 Recommended version: 0.84
main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm)
daily.cvd is up to date (version: 871, sigs: 1178, f-level: 4, builder: ccordes)
** I'm not quite sure why it says outdated because emerge sync and emerge clamav does not update it for me.
amavisd reload results:
--------------------------
May 7 16:17:02 SRVGPISMTP amavis[18906]: starting. /usr/sbin/amavisd at SRVGPISMTP amavisd-new-2.2.1 (20041222), Unicode aware
May 7 16:17:02 SRVGPISMTP amavis[18906]: Perl version 5.008005
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Amavis::Conf 2.034
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Archive::Tar 1.23
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Archive::Zip 1.14
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module BerkeleyDB 0.26
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Compress::Zlib 1.33
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Convert::TNEF 0.17
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Convert::UUlib 1.051
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module DBI 1.46
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module DB_File 1.809
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module MIME::Entity 5.415
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module MIME::Parser 5.415
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module MIME::Tools 5.415
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Mail::Header 1.65
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Mail::Internet 1.65
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Mail::SpamAssassin 3.000002
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Net::Cmd 2.26
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Net::DNS 0.40
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Net::SMTP 2.29
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Net::Server 0.85
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Razor2::Client::Version 2.61
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Time::HiRes 1.66
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Unix::Syslog 0.100
May 7 16:17:03 SRVGPISMTP amavis[18907]: Amavis::DB code loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: Amavis::Cache code loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: Lookup::SQL code NOT loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: Lookup::LDAP code NOT loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: AMCL-in protocol code loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: SMTP-in protocol code loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: ANTI-VIRUS code loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: ANTI-SPAM code loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: Unpackers code loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $file at /usr/bin/file
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $arc at /usr/bin/arc
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $gzip at /bin/gzip
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $bzip2 at /bin/bzip2
May 7 16:17:03 SRVGPISMTP amavis[18907]: No $lzop, not using it
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $lha at /usr/bin/lha
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $unarj at /usr/bin/unarj
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $uncompress at /usr/bin/uncompress
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $unfreeze at /usr/bin/unfreeze
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $unrar at /usr/bin/unrar
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $zoo at /usr/bin/zoo
May 7 16:17:03 SRVGPISMTP amavis[18907]: No $pax, not using it
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $cpio at /bin/cpio
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $ar at /usr/bin/ar
May 7 16:17:03 SRVGPISMTP amavis[18907]: No $rpm2cpio, not using it
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $cabextract at /usr/bin/cabextract
May 7 16:17:03 SRVGPISMTP amavis[18907]: No $ripole, not using it
May 7 16:17:03 SRVGPISMTP amavis[18907]: No $dspam, not using it
May 7 16:17:03 SRVGPISMTP amavis[18907]: Using internal av scanner code for (primary) ClamAV-clamd
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
May 7 16:17:03 SRVGPISMTP amavis[18907]: Creating db in /var/amavis/db/; BerkeleyDB 0.26, libdb 4.1
Postfix reload results:
------------------------
May 7 16:18:44 SRVGPISMTP postfix/master[18971]: daemon started -- version 2.1.5
Please advise.
Thanks!
JM
Our email server is running Exchange 2003 with Symantec AV for Exchange. Exchange is also acting as the SMTP server carrying our MX record. The server, as expected, is spending a lot of CPU and memory on scanning inbound/outbound mail. I decided to dedicate a Gentoo linux running postfix, ClamAV, and Amavis for antivirus and antispam. I am not a Linux guru, so I pretty much followed the instructions here http://www.gentoo.org/doc/en/mailfilter-guide.xml step by step.
After I was finished and made sure everything works, I moved my MX record over to the gentoo server. This server is doing a great job now in scanning and filtering my inbound and outbound mail. Since I'm still in the trial phase, I kept everything running as it was on Exchange, including Symantec AV, etc. I noticed that virus emails are getting scanned and caught by the Gentoo box except the ones with .zip attachments. Those bad boys go through and Symantec then catches them. I don't really like that because I want to eventually turn that off. I ran freshclam to update my virus def and everything is up to date. Not sure what's up here.
Freshclam results:
---------------------
ClamAV update process started at Sat May 7 16:15:17 2005
WARNING: Your ClamAV installation is OUTDATED - please update immediately!
WARNING: Local version: 0.83 Recommended version: 0.84
main.cvd is up to date (version: 31, sigs: 33079, f-level: 4, builder: tkojm)
daily.cvd is up to date (version: 871, sigs: 1178, f-level: 4, builder: ccordes)
** I'm not quite sure why it says outdated because emerge sync and emerge clamav does not update it for me.
amavisd reload results:
--------------------------
May 7 16:17:02 SRVGPISMTP amavis[18906]: starting. /usr/sbin/amavisd at SRVGPISMTP amavisd-new-2.2.1 (20041222), Unicode aware
May 7 16:17:02 SRVGPISMTP amavis[18906]: Perl version 5.008005
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Amavis::Conf 2.034
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Archive::Tar 1.23
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Archive::Zip 1.14
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module BerkeleyDB 0.26
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Compress::Zlib 1.33
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Convert::TNEF 0.17
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Convert::UUlib 1.051
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module DBI 1.46
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module DB_File 1.809
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module MIME::Entity 5.415
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module MIME::Parser 5.415
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module MIME::Tools 5.415
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Mail::Header 1.65
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Mail::Internet 1.65
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Mail::SpamAssassin 3.000002
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Net::Cmd 2.26
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Net::DNS 0.40
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Net::SMTP 2.29
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Net::Server 0.85
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Razor2::Client::Version 2.61
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Time::HiRes 1.66
May 7 16:17:03 SRVGPISMTP amavis[18907]: Module Unix::Syslog 0.100
May 7 16:17:03 SRVGPISMTP amavis[18907]: Amavis::DB code loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: Amavis::Cache code loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: Lookup::SQL code NOT loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: Lookup::LDAP code NOT loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: AMCL-in protocol code loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: SMTP-in protocol code loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: ANTI-VIRUS code loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: ANTI-SPAM code loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: Unpackers code loaded
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $file at /usr/bin/file
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $arc at /usr/bin/arc
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $gzip at /bin/gzip
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $bzip2 at /bin/bzip2
May 7 16:17:03 SRVGPISMTP amavis[18907]: No $lzop, not using it
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $lha at /usr/bin/lha
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $unarj at /usr/bin/unarj
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $uncompress at /usr/bin/uncompress
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $unfreeze at /usr/bin/unfreeze
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $unrar at /usr/bin/unrar
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $zoo at /usr/bin/zoo
May 7 16:17:03 SRVGPISMTP amavis[18907]: No $pax, not using it
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $cpio at /bin/cpio
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $ar at /usr/bin/ar
May 7 16:17:03 SRVGPISMTP amavis[18907]: No $rpm2cpio, not using it
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found $cabextract at /usr/bin/cabextract
May 7 16:17:03 SRVGPISMTP amavis[18907]: No $ripole, not using it
May 7 16:17:03 SRVGPISMTP amavis[18907]: No $dspam, not using it
May 7 16:17:03 SRVGPISMTP amavis[18907]: Using internal av scanner code for (primary) ClamAV-clamd
May 7 16:17:03 SRVGPISMTP amavis[18907]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
May 7 16:17:03 SRVGPISMTP amavis[18907]: Creating db in /var/amavis/db/; BerkeleyDB 0.26, libdb 4.1
Postfix reload results:
------------------------
May 7 16:18:44 SRVGPISMTP postfix/master[18971]: daemon started -- version 2.1.5
Please advise.
Thanks!
JM
You are in fact running an outdated version of ClamAV (see http://www.clamav.net/). While the latest version may not be in the Gentoo distro/updates you can download the latest from the web site and install it. It will look in Zip files...
My suggestion is to use the clam av along with the MailScanner. It is a very good freeware, which is available in the following URL.
http://www.sng.ecs.soton.ac.uk/mailscanner/
We are using this Mailscanner and it is working very fine along with CLAM AV.
It is having lot of other stuffs also.
Best Regards,
Gopu N
HCL Technologies Ltd.
ngopu@hcltech.com
http://www.sng.ecs.soton.ac.uk/mailscanner/
We are using this Mailscanner and it is working very fine along with CLAM AV.
It is having lot of other stuffs also.
Best Regards,
Gopu N
HCL Technologies Ltd.
ngopu@hcltech.com
ASKER
Thanks guys.
jlevie - I updated to 8.4 and still it does not scan ZIP files. Any other suggestions?
ngopu - Thanks for the suggestion. Do you have any instructions on how to implement MailScanner with Clam AV on Gentoo?
JM
jlevie - I updated to 8.4 and still it does not scan ZIP files. Any other suggestions?
ngopu - Thanks for the suggestion. Do you have any instructions on how to implement MailScanner with Clam AV on Gentoo?
JM
ClamAV 0.84 on my RedHat systems certainly scan zip files. I don't know why it would fail to do so on Gentoo.
I don't know if you could use the RPM installation of MailScanner on Gentoo (try it, at the worst it'll just fail). But I'm sure you could install it with the manual method documented for non-RPM installations.
I don't know if you could use the RPM installation of MailScanner on Gentoo (try it, at the worst it'll just fail). But I'm sure you could install it with the manual method documented for non-RPM installations.
I have not tried on gentoo linux.
Go through the given URL you can find more info. I am not sure whether rpm is compatible, but you can use the General Linux installation script... (NON RPM).
Gopu N
Go through the given URL you can find more info. I am not sure whether rpm is compatible, but you can use the General Linux installation script... (NON RPM).
Gopu N
You can find the details in the following URL:
http://footon.jheslop.com/howto/anti-virus-spam-howto.html
http://footon.jheslop.com/howto/anti-virus-spam-howto.html
ASKER
ok I'll admit, my fault. The reason Symantec catches the viruses is because ClamAV is set to forward quarantine to a public folder and Symantec catches those viruses and quarantines them. That's why I see Symantec reporting all the viruses coming through. I thought ClamAV was letting them through, but it's my configuration :D
Sorry guys!
JM
Sorry guys!
JM
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.