ClamAV antivirus

Discussions on webmail and the Professional version.
Post Reply
mp303
Posts: 81
Joined: Mon Nov 22, 2004 8:47 am
Location: Denmark

Post by mp303 » Mon Jun 20, 2005 8:19 am

here's my debug output, what does this tell me? there are no errors, except for some MySQL warnings - I don't know what those are, but they could not be related to anti-virus in any way, could they?

there is no indication that it's running ClamWin - it produces no logfile like it does when I use the "test settings" button. But there is also no indication of errors related to running it, so how to I interpret this debug output?

the EICAR test file still passes straight through...

Code: Select all

C:\Program Files\Mail Enable\bin>memta -debug
Debugging MailEnable Mail Transfer Agent.
****************************************************************************
*                                                                          *
* MailEnable Mail Transfer Agent (Version 1.0.02)                          *
* Copyright (C) Andrew Sproul, Peter Fregon 2001-2004.                     *
*                                                                          *
****************************************************************************

[.\MYODBCUtilReadDataSource.c][205][ERROR] Unknown attribute (Trusted_Connection).
[.\MYODBCUtilReadDataSource.c][205][ERROR] Unknown attribute (Trusted_Connection).
[.\MYODBCUtilReadDataSource.c][205][ERROR] Unknown attribute (Trusted_Connection).
Loaded 2 Filters
Bayesian Filter Loading Library..
Bayesian Filter - Loading Dictionary..
Bayesian Filter - Loading Complete.
Loading Dictionary...

Dictionary Load Status:
Time Taken: 270 milliseconds
Dictionary Size: 39655 tokens

Dictionary Loaded.
Antivirus Loading Library..
Reading settings for: LS
Reading settings for: POP
Reading settings for: SF
Reading settings for: SMTP
[.\MYODBCUtilReadDataSource.c][205][ERROR] Unknown attribute (Trusted_Connection).
No Data Available

Allocating 2 Results
Processing Message...
Message Size detected as 1528
Processing Message Content...
From Found:From: Rasmus Schultz <x@xxxxxx.dk>

To Found:To: xxx@xxxxxxx.dk

Mime Encapsulatation detected
Attachment Found:Content-Type: text/plain; name="eicar.com.txt"

Attachment Found:Content-Disposition: attachment; filename="eicar.com.txt"

ProcessFilter:
Releasing 2 Results
(email addresses x'ed out to prevent harvesting)

appreciate the help, still hoping to find a solution :)

Keith G
Posts: 11
Joined: Tue Apr 05, 2005 7:55 pm

Success!!!

Post by Keith G » Mon Jun 20, 2005 4:33 pm

Thanks Andrew for your help. When I ran MTA in Debug mode and sent attachments with a virus, the MTA console dump said "Skipping Encoded Attachment". I searched the ME Knowledgebase and found my issue.

The keys to enabling this are:
1. Make sure you get the expected return code (1) when running the "TEST" button in Filters->Mailenable Antivirus Message Filter. If you get code 50 instead, it's likely a file path typo to some path for the AV program.

2. You may have to go to control panel->Services, Find the MTA and set it to "Log in as administrator" with the admin pw.

3. Once you get it all set up according to the thread and DO get a "1", then you have to add a filter in the "Messaging Management" section of the ME admin (this is the part I was missing). Here is a quote on how to do this from ME KB Article ME020284 - Note the BOLD part:
Configuring an AV Filter
From versions 1.54 and above of MailEnable Professional and 1.03 or Enterprise the AV structure has been moved to act as a filter to be more inline with MailEnable concepts.
The first difference is the AV settings are all in the follwoing location ME Admin -> Filters -> MailEnable Messaging Filter -> (Right Panel) MailEnable Antivirus Filter Properties.
The next step that is critical for the AV engine to work is to enable an action filter for the AV when a virus is detected this is done by doing the following;

ME Admin -> Messaging Manager -> Right Click Filters -> New Filter (Call it Antivirus)
Once the filter is created right click on the filter in the right hand display panel of the ME Admin program and Select Manage.
In the Criteria Section (Top Panel) select the criteria "Where the message contains a virus" double click this and enable or place a tick next to the option.
Finally in the actions section (Bottom Panel) selct your required actions selecting multiples of or one of the options, if you simply want the virus email deleted then select "Delete Message".
Good Luck All and thanks again!

mp303
Posts: 81
Joined: Mon Nov 22, 2004 8:47 am
Location: Denmark

Post by mp303 » Tue Jun 21, 2005 7:45 am

great! this solved my problem as well - it's working perfectly now! thank you!! :D

mp303
Posts: 81
Joined: Mon Nov 22, 2004 8:47 am
Location: Denmark

Post by mp303 » Tue Jun 21, 2005 8:26 am

:o

argh!

no, it STILL doesn't work.

this is freaky ... when I run in debug mode, it scans just like it's supposed to, filter gets executed and virus gets deleted.

but as soon as the SERVICE is running, nothing happens - no error messages, no nothing, it just doesn't run the virus filters. I've restarted the services several times, nothing seems to help...

any help??

michaelsowa
Posts: 13
Joined: Tue Jun 21, 2005 2:05 pm
Location: Chester, UK

Same Here

Post by michaelsowa » Tue Jun 21, 2005 2:23 pm

I seem to have exactly the same problem. I am getting hundreds of spoofed emails through my server sent under sometimes real sometimes ficticous addresses for instance from <something>@mydomain.com to <something>@mydomain.com.

Each one contains a virus in a zip file.

As far as I can tell I have installed and integrated ClamWin properly, the test works and my filters are all enabled and setup.

In the meantime I have added a filter to delete messages with certain filenames. (I don't want to block .zip attachments totally so I am having to block set filenames that this spammer is sending).

What I would like is to somehow force authentication even when sending from a local account to another local account. That would stop this from happening at the first entry point.

However I still want ClamWin to work so any ideas would be greatly appreciated.....
The Good Will out - Embrace

paarlberg
Posts: 1071
Joined: Tue Mar 02, 2004 7:33 pm
Location: Atlanta, GA, USA

Post by paarlberg » Tue Jun 21, 2005 5:48 pm

There is an option for the command line to scan archives, and how deep. I can't remember what it is at the moment, but will try to find it..

I run Clam and F-prot on my servers, f-prot will typically catch the ones that slip by Clam.

michaelsowa
Posts: 13
Joined: Tue Jun 21, 2005 2:05 pm
Location: Chester, UK

Archives

Post by michaelsowa » Tue Jun 21, 2005 5:53 pm

Cheers Paarlberg,

Any help would be greatly appreciated....
The Good Will out - Embrace

Keith G
Posts: 11
Joined: Tue Apr 05, 2005 7:55 pm

Post by Keith G » Tue Jun 21, 2005 7:55 pm

MP303 - Make sure you switched the registry settings back to 1's after stopping the MTA debug. Might also want to try reducing the number of MTA threads to 1 to see what happens - see KB article ME020147. Also might want to make sure MTA is running as a service that logs in with admin rights.

I had originally created a batch file to run the clamscan and it did not work when I went back to regular MTA. I had to modify the 'program path' for the scanner back to c:\Program Files\ClamWin\Bin\Clamscan.exe to get it to work.

Michealsowa - That almost sounds like you are an open relay. Are the mails coming from someone inside your domain?

I'm still running Pro 1.6 RC2 on a test server and sendning emails to it via outlook express on the server itself and thus far that works great.

Good luck both of you.

mp303
Posts: 81
Joined: Mon Nov 22, 2004 8:47 am
Location: Denmark

Post by mp303 » Wed Jun 22, 2005 8:12 am

I tried creating a dedicated local account to run the MTA service under, and making it a member of Administrators - no luck. Finally, I set the service to run under the system default Administrator account, and this works. I'm not sure it's really a good idea, in terms of security? But it seems to be the only thing that works, and at least it WORKS :)

It occurs to me, the ME team needs to do some work on that "test" button - it obviously doesn't tell you much at all... it needs to at least execute the virus scanner under the same conditions it would during a "live" scanning - if, for example, it actually delivered an EICAR test file to a local postmaster account, this would verify that scanning would actually work when initiated by the service...

Keith G
Posts: 11
Joined: Tue Apr 05, 2005 7:55 pm

Post by Keith G » Wed Jun 22, 2005 2:31 pm

Glad to hear you got it working. I did read something in one of the threads about changing the NT permissions on the clamwin directory and it's subdirs to allow <whatever account you wanted to run MTA with> full control on those dirs, but never tried that. I am using the same config as you (administrator account).

Yeah - I think the TEST button puts an EICAR file in the scratch directory and calls the virus scanner. It does not appear to create a test email with an attachment that needs to be parsed for virus detection. The test passing seems to tell you "I can execute the virus scanner and succesfully identify a virus in the scratch directory. If you set up the messaging filter and the MTA agent are enabled correctly now, it should work".

Anyway, Glad you got it working. Can't wait for 1.6 to be official...

michaelsowa
Posts: 13
Joined: Tue Jun 21, 2005 2:05 pm
Location: Chester, UK

Mine works too

Post by michaelsowa » Wed Jun 22, 2005 3:12 pm

Hey, I also had to log on the service under the admin account. All works now. It even Scans zip files.

Hooray.

This thread was invaluable!
The Good Will out - Embrace

rvissers
Posts: 34
Joined: Wed Sep 08, 2004 4:23 pm
Contact:

Post by rvissers » Thu Jun 23, 2005 3:47 pm

I had the same thing happen...no scanning of archive files, changed the service to login as admin and everything works. Thanks!
Richard G. Vissers
www.vissers.net

devildog
Posts: 45
Joined: Thu Jun 23, 2005 7:33 pm

still not workin,...

Post by devildog » Fri Jun 24, 2005 6:02 pm

after reading this thread abt 10 times, i still cant get clamwin to work....

ive got the latest versions of clamwin and mailenable and everything followed by the instructions....

my debug output...

the test file is just passing thru....

Code: Select all

C:\Program Files\ClamWin\bin>MEMTA -debug
Debugging MailEnable Mail Transfer Agent.
****************************************************************************
*                                                                          *
* MailEnable Mail Transfer Agent (Version 1.0.02)                          *
* Copyright (C) Andrew Sproul, Peter Fregon 2001-2004.                     *
*                                                                          *
****************************************************************************

Loaded 0 Filters
Antivirus Loading Library..
Reading settings for: LS
Reading settings for: POP
Reading settings for: SF
Reading settings for: SMTP
Allocating 0 Results
Processing Message...
Message Size detected as 2115
Processing Message Content...
Mime Encapsulatation detected
To Found:To: <xxxx@mydomain1.com>

From Found:From: <xxxx@mydomain2.com>

Attachment Found:Content-Type: application/zip; name="eicar.zip";

Attachment Found:Content-Disposition: attachment; filename="eicar.zip"

Releasing 0 Results
my filter logs....

Code: Select all

Time	Action	MessageID	Connector	Filter	Result	Account	Sender
06/25/05 01:39:46	Start	-	-	-	-	-	-
Time	Action	MessageID	Connector	Filter	Result	Account	Sender
06/25/05 01:51:31	Start	-	-	-	-	-	-
06/25/05 01:59:49	End	-	-	-	-	-	-
just FYI i have assp installed on my system...so ME is using port 225 for smtp(just in case it matters).

devildog
Posts: 45
Joined: Thu Jun 23, 2005 7:33 pm

Post by devildog » Fri Jun 24, 2005 6:27 pm

UPDATE::::

just tried as suggested by kenith(tx a lot)....
ME Admin -> Messaging Manager -> Right Click Filters -> New Filter (Call it Antivirus)
Once the filter is created right click on the filter in the right hand display panel of the ME Admin program and Select Manage.
In the Criteria Section (Top Panel) select the criteria "Where the message contains a virus" double click this and enable or place a tick next to the option.
Finally in the actions section (Bottom Panel) selct your required actions selecting multiples of or one of the options, if you simply want the virus email deleted then select "Delete Message".

i have a new developments in my filter log....

Code: Select all

Time	Action	MessageID	Connector	Filter	Result	Account	Sender
06/25/05 01:39:46	Start	-	-	-	-	-	-
Time	Action	MessageID	Connector	Filter	Result	Account	Sender
06/25/05 01:51:31	Start	-	-	-	-	-	-
06/25/05 01:59:49	End	-	-	-	-	-	-
06/25/05 02:05:47	Executed	8415E37BCE54431482E03B958C2131F2.MAI	SF	Antivirus	DELETE	mydomain1.com	xxxx@mydomain1.com	
seems to be workin now....
just need to configure the notify thing in the filter....

i choose notify receipent....chose the template VIRUSNOTIFY ...
got the virus notification...
i would like to edit the notification with the name of the infected file(s)/the virus they were infected with whats the variable for that?
tx...this forum is really helpfull...

JasonCMX
Posts: 33
Joined: Fri Apr 09, 2004 12:22 pm
Location: Michigan, USA

ClamWin Config

Post by JasonCMX » Wed Sep 07, 2005 1:36 pm

I haved moved to a new server with MailEnable and Clam.
(Our old one's IIS and registry was destroyed by hackers)

I have followed the instructions letter by letter and am still getting "Command line scanner returned: 50" "There appears to be an error with your configuration"

Does this setup work on Windows 2003?

Post Reply