Clam and Dovecot - suspicious process warnings

martbean · August 21, 2014, 12:42pm

Hi,

I hope someone can help with a little issue. I have ConfigServer Security & Firewall installed and it is set up to alert me via email of suspicious processes and excessive resource usage. The problem is that at regular intervals throughout the day I’m getting warnings about Clam and Dovecot/Dovenull. I think I can disable warnings for certain processes but I’d like to check there’s nothing wrong first.

Full details follow but I guess my first question is: is it normal for these processes to be running for so long?

Msg 1:
Excessive resource usage: clam (23497 (Parent PID:23497))

Account: clam Resource: Process Time Exceeded: 2136578 > 1800 (seconds) Executable: /usr/sbin/clamd Command Line: clamd PID: 23497 (Parent PID:23497) Killed: No

Msg 2:
Suspicious process running under user clam

[code]PID: 23497 (Parent PID:23497)
Account: clam
Uptime: 2136578 seconds

Executable:
/usr/sbin/clamd

Command Line (often faked in exploits):
clamd

Network connections by the process (if any):
tcp: 127.0.0.1:3310 -> 0.0.0.0:0

Files open by the process (if any):
/dev/null
/dev/null
/dev/null
/var/log/clamav/clamd.log

Memory maps by the process (if any): (omitted - let me know if they’d be useful)[/code]

Msg 3:
Excessive resource usage: dovecot (3795 (Parent PID:13186))

Account: dovecot Resource: Process Time Exceeded: 9041 > 1800 (seconds) Executable: /usr/libexec/dovecot/auth Command Line: dovecot/auth PID: 3795 (Parent PID:13186) Killed: No

Msg 4:
Suspicious process running under user dovenull

[code]Time: Thu Aug 21 12:36:11 2014 +0100
PID: 12651 (Parent PID:13186)
Account: dovenull
Uptime: 264 seconds

Executable:
/usr/libexec/dovecot/pop3-login

Command Line (often faked in exploits):
dovecot/pop3-login

Network connections by the process (if any):
tcp: 0.0.0.0:110 -> 0.0.0.0:0
tcp6: 0.0.0.0:110 -> 0.0.0.0:0
tcp: 0.0.0.0:995 -> 0.0.0.0:0
tcp6: 0.0.0.0:995 -> 0.0.0.0:0
tcp: {my IP}:995 -> {external IP}:52275

Files open by the process (if any):
/dev/null
/dev/null
/var/run/dovecot/login-master-notifyf48e6579ea58f331 (deleted)
[eventpoll]
/dev/urandom

Memory maps by the process (if any): (omitted - let me know if they’d be useful)[/code]

System:
CentOS 6.5,
Webmin and Virtualmin

Any help would be gratefully received.

Thanks,

Martin.

Locutus · August 21, 2014, 1:58pm

Both clamd and dovecot are daemons (virus scanner service / POP3/IMAP mail server) and are expected to be running constantly. So the “excessive resource usage” messages are to be expected.

The messages you’re getting from LFD look legit to me.

One exception is that clamd is listening on a TCP port on your system, on mine it is using a local socket in /var/run/clamav/clamd.ctl. My assumption is that the default config is different on your CentOS than on my Ubuntu. You might want to verify that in clamd’s config file under /etc/clamav. Look for “LocalSocket” and “TCPSocket”.

Secondly, your clamav user is named “clam” while mine is named “clamav”. Again, this can be a distro specific thing. Check entries “LocalSocketGroup” and “User” in ClamAV’s config.

Eric might also be able to tell more about this, he’s experienced with CentOS.

If that turns out to be valid, you can safely add the executables of clamd and dovecot to LFD’s process ignore file so you won’t get warnings about them.

Should the executables ever be modified, you’ll still get a warning about that, provided you have “LF_INTEGRITY” active in LFD’s config section “Directory Watching and Integrity”.

martbean · August 21, 2014, 3:23pm

Hi,

That’s great, thanks for this. I’ve checked clamd.conf and it has the following:

LocalSocket /var/run/clamav/clamd.sock
TCPSocket 3310

#LocalSocketGroup virusgroup
User clam

So the user appears to be correct, though I’m not sure of the significance of LocalSocketGroup being commented out?

Do the Socket lines tell you anything?

Thanks,

Martin.

Eric · August 21, 2014, 3:35pm

Those being commented out just means that it’s using the default option for those… that would affect the permissions of the ClamAV socket (as specified in “LocalSocket”).

-Eric

martbean · August 21, 2014, 4:27pm

The owner and group for /var/run/clamav/clamd.sock are both ‘clam’ so I guess that’s OK?

As far as I know Clam is working OK but I’m not really sure how to check.

Anyway, if everything looks OK I’ll set LFD to ignore those two.

Thanks,

Martin.

Locutus · August 21, 2014, 5:13pm

Your configuration explains why your ClamAV is listening on port 3310 and why its user is “clam” as opposed to “clamav” on Ubuntu.

I’m not sure why it needs both the local socket AND the TCP socket on CentOS, but I’m assuming it’s intentional. I’d say you can safely add the executables to LFD’s process ignore file.

To check if Clam is working okay, you can for one check if it’s running (ps aux|grep clam should show the process; then again, LFD already informed you that it’s running ), and check /var/log/procmail.log when mail has been delivered to an address that has virus scanning active. You should see evidence of ClamAV being called there. If in doubt, send a (harmless) test “virus” to the address, like from here: http://www.eicar.org/86-0-Intended-use.html

martbean · August 22, 2014, 10:31am

Ahh, that fake virus is very handy, thanks! However, I’m not convinced Clam is scanning anything as I sent it to myself and it got through fine. Here’s how that message looked in procmail.log:

From me@domain  Fri Aug 22 11:19:53 2014
 Subject: Test
  Folder: /var/spool/mail/mailbox.name				   1422
Time:1408702795 From:me@email To:me@otherdomain User:mailbox.name Size:1422 Dest:/var/spool/mail/mailbox.name Mode:None

So no reference to “clam” anywhere. SpamAssassin is working, if that makes any difference? I can’t see many options for virus scanning in Virtualmin but it looks to be enabled. Any ideas?

Regarding the config, I got a server hardening company to set things up for me so that’s either how they set it or how it came by default on CentOS.

Thanks,

Martin.

Locutus · August 22, 2014, 11:47am

Hmm, I’m not exactly sure how the EICAR would have to be put in a mail so that ClamAV recognizes it. Did you send it as an attachment, or in the mail text? Try sending it as a .com inside a .zip or something.

You can test whether your ClamAV recognizes it in general by putting it in a file and running clamscan [filename].

Also make sure virus scanning is enabled for the destination email address. You can look through the procmail log and check the “Mode:” entries. Those should say “None”, “Spam” or “Virus”.

martbean · August 22, 2014, 12:32pm

Hiya,

I copied the text and saved it as a file with a .exe extension then sent it as an attachment.

I can’t seem to save the actual attachment to my server but I created a new file and scanned it with clamscan which correctly identified the virus.

I’ve checked that address and spam and virus scanning are enabled.

Looking at procmail.log there are a load with the Mode “Spam” but none with “Virus”, though that could mean we’ve not received any and the test fake virus is broken (maybe to do with how I saved it or something).

I have some mail forwarders set up and have just checked maillog where there are some failures from the remote server, saying things like “550-This message contains a virus or other harmful content 550 (Sanesecurity.Malware.23485.PdfHeur.UNOFFICIAL) (in reply to end of DATA command))”. This would suggest clam isn’t working, or is forwarded mail not scanned?

Thanks,

Martin.