Virtualmin GPL - Virusscanner not working ?

Virtualmin
1

I changed my VPS from ispconfig to virtualmin because of issues with the old installation. But now it looks like the email virusscanner is not working at all


df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda5        48G   11G   35G  25% /
udev            2.0G  4.0K  2.0G   1% /dev
tmpfs           807M  288K  807M   1% /run
none            5.0M  4.0K  5.0M   1% /run/lock
none            2.0G     0  2.0G   0% /run/shm
/dev/sda1       461M   36M  403M   9% /boot
root@papasmurf:/# 


free -m
             total       used       free     shared    buffers     cached
Mem:          4034       2740       1294          0         91       2032
-/+ buffers/cache:        616       3418
Swap:          952          6        946

I don`t see any clamd logging in /var/log/mail.log and the following in less /var/log/clamav/clamav.log


Tue Jul 16 21:29:15 2013 -> +++ Started at Tue Jul 16 21:29:15 2013
Tue Jul 16 21:29:15 2013 -> clamd daemon 0.97.8 (OS: linux-gnu, ARCH: i386, CPU: i686)
Tue Jul 16 21:29:15 2013 -> Log file size limited to -1 bytes.
Tue Jul 16 21:29:15 2013 -> Reading databases from /var/lib/clamav
Tue Jul 16 21:29:15 2013 -> Not loading PUA signatures.
Tue Jul 16 21:29:15 2013 -> Bytecode: Security mode set to "TrustSigned".
Tue Jul 16 21:29:20 2013 -> Loaded 2516140 signatures.
Tue Jul 16 21:29:21 2013 -> LOCAL: Unix socket file /var/run/clamav/clamd.ctl
Tue Jul 16 21:29:21 2013 -> LOCAL: Setting connection queue length to 15
Tue Jul 16 21:29:21 2013 -> Limits: Global size limit set to 104857600 bytes.
Tue Jul 16 21:29:21 2013 -> Limits: File size limit set to 26214400 bytes.
Tue Jul 16 21:29:21 2013 -> Limits: Recursion level limit set to 16.
Tue Jul 16 21:29:21 2013 -> Limits: Files limit set to 10000.
Tue Jul 16 21:29:21 2013 -> Archive support enabled.
Tue Jul 16 21:29:21 2013 -> Algorithmic detection enabled.
Tue Jul 16 21:29:21 2013 -> Portable Executable support enabled.
Tue Jul 16 21:29:21 2013 -> ELF support enabled.
Tue Jul 16 21:29:21 2013 -> Mail files support enabled.
Tue Jul 16 21:29:21 2013 -> OLE2 support enabled.
Tue Jul 16 21:29:21 2013 -> PDF support enabled.
Tue Jul 16 21:29:21 2013 -> HTML support enabled.
Tue Jul 16 21:29:21 2013 -> Self checking every 3600 seconds.
(END)
2

Howdy,

If you click Edit Virtual Server -> Enabled Features for this particular domain, is the “Virus Scanning” feature enabled?

Also, if you go into System Settings -> Re-Check Config, does it detect any problems?

Lastly – what distro/version are you using?

-Eric

3

Spam and Virusfiltering are enabled for all domains.


The status of your system is being checked to ensure that all enabled features are available, that the mail server is properly configured, and that quotas are active ..
Your system has 3.94 GB of memory, which is at or above the Virtualmin recommended minimum of 256 MB.
Mail server Postfix is installed and configured.

Postfix can support per-domain outgoing IP addresses, but is not currently configured to do so. This can be setup in the Postfix Mailserver module.

Apache is installed.

The following PHP versions are available : 5.3.10 (/usr/bin/php5-cgi)

Webalizer is installed.

Apache is configured to host SSL websites.

MySQL is installed and running.

ProFTPd is installed.

Logrotate is installed.

SpamAssassin and Procmail are installed and configured for use.

ClamAV is installed and assumed to be running.

Plugin AWstats reporting is installed OK.

Plugin Mailman is installed OK.

Plugin Protected web directories is installed OK.

Using network interface eth0 for virtual IPs.

IPv6 addresses are available, using interface eth0.

Default IP address for virtual servers is xx.xx.xx.205.

Default IP address is set to xx.xx.xx.205, which matches the detected external address.

Both user and group quotas are enabled for home and email directories.

All commands needed to create and restore backups are installed.

The selected package management and update systems are installed OK.

.. your system is ready for use by Virtualmin.


cat /etc/issue
Ubuntu 12.04.2 LTS \n \l
4

Great!

One other thing you could check, just to make sure it’s not throwing any errors, is to look in /var/log/procmail.log.

If ClamAV is generating errors, it’s possible they may appear in there.

But if it stopped the eicar virus, it sounds like it’s working properly.

-Eric

5

I think i changed something and now it seems to be working (how ever i don`t see any proof in the mailheader)

I changed vim /etc/clamav/clamd.conf


TCPSocket 3310
TCPAddr 127.0.0.1
#LocalSocket /var/run/clamav/clamd.ctl

And now when i sent a EICAR test file it seems to be blocked


tail -f /var/log/clamav/clamav.log 
Wed Jul 17 20:42:55 2013 -> Chunks complete
Wed Jul 17 20:42:55 2013 -> Number of file descriptors polled: 1 fds
Wed Jul 17 20:42:55 2013 -> fds_poll_recv: timeout after 3600 seconds
Wed Jul 17 20:42:55 2013 -> THRMGR: queue (single) crossed low threshold -> signaling
Wed Jul 17 20:42:55 2013 -> THRMGR: queue (bulk) crossed low threshold -> signaling
Wed Jul 17 20:42:55 2013 -> instream(127.0.0.1@53359): Eicar-Test-Signature(a275858ea6a5350cd2781c29d0986db4:1840) FOUND
Wed Jul 17 20:42:55 2013 -> Finished scanthread
Wed Jul 17 20:42:55 2013 -> Scanthread: connection shut down (FD 10)
Wed Jul 17 20:42:55 2013 -> THRMGR: queue (single) crossed low threshold -> signaling
Wed Jul 17 20:42:55 2013 -> THRMGR: queue (bulk) crossed low threshold -> signaling
Wed Jul 17 20:44:02 2013 -> Received POLLIN|POLLHUP on fd 5
Wed Jul 17 20:44:02 2013 -> Got new connection, FD 10
Wed Jul 17 20:44:02 2013 -> Received POLLIN|POLLHUP on fd 6
Wed Jul 17 20:44:02 2013 -> fds_poll_recv: timeout after 5 seconds
Wed Jul 17 20:44:02 2013 -> Received POLLIN|POLLHUP on fd 10
Wed Jul 17 20:44:02 2013 -> got command VERSION (8, 8), argument: 
Wed Jul 17 20:44:02 2013 -> Receive thread: closing conn (FD 10), group finished
Wed Jul 17 20:44:02 2013 -> Consumed entire command
Wed Jul 17 20:44:02 2013 -> Number of file descriptors polled: 1 fds
Wed Jul 17 20:44:02 2013 -> fds_poll_recv: timeout after 3600 seconds

When i change it back it still seem to be working. However after i just installed virtualmin the virusses seem to pass the mailserver without issue. Why is there no rule about the virusscanner in the mail header (just to see it has scanned the mail without issues)