Clamdscan not classifying email with virus

🛈 SYSTEM INFORMATION
OS type and version CentOS Linux 7.9.2009
Webmin version 1.984
Virtualmin version 6.17
Related packages Clamav, Postfix, Procmail

Hello everyone.

I’m trying (again) to figure out why clamscan does not delete/detect emails countaining virus.

I had some problems with the clamscan socket, but I managed to sort that out. So now I’m sure the scanner is running and filtering email. How I know this?

Well, the basic eicar test shows the system doing it’s job.

Time:1643969629 From:eicar@aleph-tec.com To:address@myserver.tld User:user-atmyserver.tld Size:3522 Dest:/dev/null Mode:Virus
Time:1643969630 From:eicar@aleph-tec.com To:address@myserver.tld User:user-atmyserver.tld Size:5512 Dest:/dev/null Mode:Virus

So, one should assume it is working.

Fact is, it is not!
I got some fake emails with supposed invoices sent to this address containing virus in the attachment.

The result from procmail.log:

Time:1643629859 From:carlaoliveira@grupojap.pt To:address@myserver.tld User:user-atmyserver.tld Size:624648 Dest:/home/domain/homes/user/Maildir/new/1643629857.32287_1.myserver.tld Mode:None

This should not be marked as Mode:None

When I run:

clamscan -r -i /home/domain/homes/user/Maildir/cur

Results as:

/home/domain/homes/user/Maildir/cur/1585745941.16826_1.myserver.domain.tld:2,S: Win.Packed.Vebzenpak-7646494-0 FOUND
/home/domain/homes/user/Maildir/cur/1588661445.26354_0.myserver.domain.tld:2,S: Win.Dropper.Nanocore-9184628-0 FOUND
/home/domain/homes/user/Maildir/cur/1585922070.24735_1.myserver.domain.tld:2,S: Win.Downloader.Minix-7667499-0 FOUND
/home/domain/homes/user/Maildir/cur/1592392578.24377_1.myserver.domain.tld:2,S: Win.Trojan.Generic-9843487-0 FOUND
/home/domain/homes/user/Maildir/cur/1584369713.17617_2.myserver.domain.tld:2,S: Win.Trojan.Agent-7655354-0 FOUND
/home/domain/homes/user/Maildir/cur/1585915642.7464_1.myserver.domain.tld:2,S: Win.Downloader.Minix-7667499-0 FOUND
/home/domain/homes/user/Maildir/cur/1591986071.3140_1.myserver.domain.tld:2,S: Win.Trojan.Ponystealer-9890288-0 FOUND
/home/domain/homes/user/Maildir/cur/1585915789.7723_1.myserver.domain.tld:2,S: Win.Downloader.Minix-7667499-0 FOUND
/home/domain/homes/user/Maildir/cur/1587112898.29533_0.myserver.domain.tld:2,S: Win.Dropper.Remcos-7686834-0 FOUND
/home/domain/homes/user/Maildir/cur/1585702389.14555_1.myserver.domain.tld:2,S: Win.Trojan.Ponystealer-7648176-0 FOUND
/home/domain/homes/user/Maildir/cur/1585925307.7417_1.myserver.domain.tld:2,S: Win.Downloader.Minix-7667499-0 FOUND
/home/domain/homes/user/Maildir/cur/1591349091.21868_1.myserver.domain.tld:2,S: Win.Trojan.Vebzenpak-9782050-0 FOUND
/home/domain/homes/user/Maildir/cur/1585655956.25127_2.myserver.domain.tld:2,S: Win.Trojan.Ponystealer-7648176-0 FOUND
/home/domain/homes/user/Maildir/cur/1585741063.27935_2.myserver.domain.tld:2,S: Win.Packed.Vebzenpak-7646494-0 FOUND
/home/domain/homes/user/Maildir/cur/1587042864.10489_1.myserver.domain.tld:2,S: Win.Dropper.Remcos-7686834-0 FOUND
/home/domain/homes/user/Maildir/cur/1586969145.15603_0.myserver.domain.tld:2,S: Win.Trojan.VBGeneric-7670258-0 FOUND
/home/domain/homes/user/Maildir/cur/1587736159.18544_1.myserver.domain.tld:2,S: Win.Trojan.VBGeneric-7689713-0 FOUND
/home/domain/homes/user/Maildir/cur/1584364910.3522_1.myserver.domain.tld:2,S: Win.Trojan.Agent-7655354-0 FOUND
/home/domain/homes/user/Maildir/cur/1588667103.9764_0.myserver.domain.tld:2,S: Win.Dropper.Nanocore-9184628-0 FOUND
/home/domain/homes/user/Maildir/cur/1589348841.12204_0.myserver.domain.tld:2,S: Win.Malware.Autoit-9822233-0 FOUND
/home/domain/homes/user/Maildir/cur/1602168503.321_0.myserver.domain.tld:2,S: Win.Dropper.Lokibot-9775457-0 FOUND
/home/domain/homes/user/Maildir/cur/1602501655.31720_1.myserver.domain.tld:2,S: Win.Malware.Generic-9777076-0 FOUND
/home/domain/homes/user/Maildir/cur/1603720083.1990_0.myserver.domain.tld:2,S: Win.Trojan.Noon-9850822-0 FOUND
/home/domain/homes/user/Maildir/cur/1612259834.22783_1.myserver.domain.tld:2,S: Win.Dropper.LokiBot-9829273-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8605150
Engine version: 0.103.5
Scanned directories: 1
Scanned files: 124
Infected files: 24
Data scanned: 152.12 MB
Data read: 80.48 MB (ratio 1.89:1)
Time: 80.723 sec (1 m 20 s)
Start Date: 2022:02:04 15:47:02
End Date: 2022:02:04 15:48:22

Can someone point me what is wrong?
I went over all config files, but I end at the same point: if eicar is detected why aren’t all the other emails?

Hope someone might know more and can drop help on this matter.

Thanks.

1 Like

Tried on new setup with Centos 8 stream and same situation.

Virus are detected on manual scan, but not detected as mail files.
The best I managed to get was that infected emails on Centos 8 are being deleted (without looging it in procmail.log (dunno why). But at least, so far it is working better as in the Centos 7.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.