🛈 SYSTEM INFORMATION | |
---|---|
OS type and version | CentOS Linux 7.9.2009 |
Webmin version | 1.984 |
Virtualmin version | 6.17 |
Related packages | Clamav, Postfix, Procmail |
Hello everyone.
I’m trying (again) to figure out why clamscan does not delete/detect emails countaining virus.
I had some problems with the clamscan socket, but I managed to sort that out. So now I’m sure the scanner is running and filtering email. How I know this?
Well, the basic eicar test shows the system doing it’s job.
Time:1643969629 From:eicar@aleph-tec.com To:address@myserver.tld User:user-atmyserver.tld Size:3522 Dest:/dev/null Mode:Virus
Time:1643969630 From:eicar@aleph-tec.com To:address@myserver.tld User:user-atmyserver.tld Size:5512 Dest:/dev/null Mode:Virus
So, one should assume it is working.
Fact is, it is not!
I got some fake emails with supposed invoices sent to this address containing virus in the attachment.
The result from procmail.log:
Time:1643629859 From:carlaoliveira@grupojap.pt To:address@myserver.tld User:user-atmyserver.tld Size:624648 Dest:/home/domain/homes/user/Maildir/new/1643629857.32287_1.myserver.tld Mode:None
This should not be marked as Mode:None
When I run:
clamscan -r -i /home/domain/homes/user/Maildir/cur
Results as:
/home/domain/homes/user/Maildir/cur/1585745941.16826_1.myserver.domain.tld:2,S: Win.Packed.Vebzenpak-7646494-0 FOUND
/home/domain/homes/user/Maildir/cur/1588661445.26354_0.myserver.domain.tld:2,S: Win.Dropper.Nanocore-9184628-0 FOUND
/home/domain/homes/user/Maildir/cur/1585922070.24735_1.myserver.domain.tld:2,S: Win.Downloader.Minix-7667499-0 FOUND
/home/domain/homes/user/Maildir/cur/1592392578.24377_1.myserver.domain.tld:2,S: Win.Trojan.Generic-9843487-0 FOUND
/home/domain/homes/user/Maildir/cur/1584369713.17617_2.myserver.domain.tld:2,S: Win.Trojan.Agent-7655354-0 FOUND
/home/domain/homes/user/Maildir/cur/1585915642.7464_1.myserver.domain.tld:2,S: Win.Downloader.Minix-7667499-0 FOUND
/home/domain/homes/user/Maildir/cur/1591986071.3140_1.myserver.domain.tld:2,S: Win.Trojan.Ponystealer-9890288-0 FOUND
/home/domain/homes/user/Maildir/cur/1585915789.7723_1.myserver.domain.tld:2,S: Win.Downloader.Minix-7667499-0 FOUND
/home/domain/homes/user/Maildir/cur/1587112898.29533_0.myserver.domain.tld:2,S: Win.Dropper.Remcos-7686834-0 FOUND
/home/domain/homes/user/Maildir/cur/1585702389.14555_1.myserver.domain.tld:2,S: Win.Trojan.Ponystealer-7648176-0 FOUND
/home/domain/homes/user/Maildir/cur/1585925307.7417_1.myserver.domain.tld:2,S: Win.Downloader.Minix-7667499-0 FOUND
/home/domain/homes/user/Maildir/cur/1591349091.21868_1.myserver.domain.tld:2,S: Win.Trojan.Vebzenpak-9782050-0 FOUND
/home/domain/homes/user/Maildir/cur/1585655956.25127_2.myserver.domain.tld:2,S: Win.Trojan.Ponystealer-7648176-0 FOUND
/home/domain/homes/user/Maildir/cur/1585741063.27935_2.myserver.domain.tld:2,S: Win.Packed.Vebzenpak-7646494-0 FOUND
/home/domain/homes/user/Maildir/cur/1587042864.10489_1.myserver.domain.tld:2,S: Win.Dropper.Remcos-7686834-0 FOUND
/home/domain/homes/user/Maildir/cur/1586969145.15603_0.myserver.domain.tld:2,S: Win.Trojan.VBGeneric-7670258-0 FOUND
/home/domain/homes/user/Maildir/cur/1587736159.18544_1.myserver.domain.tld:2,S: Win.Trojan.VBGeneric-7689713-0 FOUND
/home/domain/homes/user/Maildir/cur/1584364910.3522_1.myserver.domain.tld:2,S: Win.Trojan.Agent-7655354-0 FOUND
/home/domain/homes/user/Maildir/cur/1588667103.9764_0.myserver.domain.tld:2,S: Win.Dropper.Nanocore-9184628-0 FOUND
/home/domain/homes/user/Maildir/cur/1589348841.12204_0.myserver.domain.tld:2,S: Win.Malware.Autoit-9822233-0 FOUND
/home/domain/homes/user/Maildir/cur/1602168503.321_0.myserver.domain.tld:2,S: Win.Dropper.Lokibot-9775457-0 FOUND
/home/domain/homes/user/Maildir/cur/1602501655.31720_1.myserver.domain.tld:2,S: Win.Malware.Generic-9777076-0 FOUND
/home/domain/homes/user/Maildir/cur/1603720083.1990_0.myserver.domain.tld:2,S: Win.Trojan.Noon-9850822-0 FOUND
/home/domain/homes/user/Maildir/cur/1612259834.22783_1.myserver.domain.tld:2,S: Win.Dropper.LokiBot-9829273-0 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8605150
Engine version: 0.103.5
Scanned directories: 1
Scanned files: 124
Infected files: 24
Data scanned: 152.12 MB
Data read: 80.48 MB (ratio 1.89:1)
Time: 80.723 sec (1 m 20 s)
Start Date: 2022:02:04 15:47:02
End Date: 2022:02:04 15:48:22
Can someone point me what is wrong?
I went over all config files, but I end at the same point: if eicar is detected why aren’t all the other emails?
Hope someone might know more and can drop help on this matter.
Thanks.