CLAMAV doesn't seem to be trapping virus

Discussion forum for Enterprise Edition.
Post Reply
mia11691
Posts: 13
Joined: Thu Jun 03, 2010 5:02 pm

CLAMAV doesn't seem to be trapping virus

Post by mia11691 » Tue Mar 29, 2016 8:53 pm

Recently begun receiving complaints from customers that they were receiving tons of mail containing viruses. We run clamav. Initially when I checked the logs I saw "Error scanning attachment - Command Line Scanner Process ("C:\Program Files (x86)\Mail Enable\Antivirus\ClamAV\clamdscan.exe" "C:\PROGRA~2\MAILEN~1\Scratch\8721E8~1.MAI\1.ATT" --no-summary) took too long and was terminated". So I increased the timeout via the registry. Restarted MTA etc. Ran freshclam etc. I checked the 'scratch' folder and there were like 4 old messages there so I figured that was the reason there was an issue.. I deleted the messages. Since then, it seems as if nothing is going thru the filters. I ran the EICAR test and it scanned and sent responder however that's the only message it seems to trap. I've since learned via these forums that the logs are only created when a virus is found, trapped. Well if that is the case then there's absolutely nothing happening with this CLAMAV installation. No logs besides the log created when the EICAR email was sent, is being generated. I'm not sure what else to do at this point besides trying another scanner however I thought this was supposed to work. Clamav log states that the selfcheck of the database is ok.

Thoughts anyone?

MailEnable-Ian
Site Admin
Posts: 9145
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: CLAMAV doesn't seem to be trapping virus

Post by MailEnable-Ian » Thu Mar 31, 2016 2:44 am

Hi,

What version of MailEnable Enterprise are you running?
Regards,

Ian Margarone
MailEnable Support

aahq
Posts: 183
Joined: Sat Aug 07, 2010 11:08 am

Re: CLAMAV doesn't seem to be trapping virus

Post by aahq » Thu Mar 31, 2016 7:12 am

Try also uploading the "virus" to Virustotal.com and see if Clam is picking it up, I have hundreds of messages a day that ClamAV doesnt detect.

If it is not being detected then this is not ME's fault by the way it is ClamAV.

In another thread here I have exact instructions of how to deal with these compressed files that have executable code in them. Running single AV over messages is very unreliable and AntiSpam protection get's about 98% but nuking compressed files with exe's gives you that extra 1% :)

Hope this helps.

Scott

aahq
Posts: 183
Joined: Sat Aug 07, 2010 11:08 am

Re: CLAMAV doesn't seem to be trapping virus

Post by aahq » Sat Apr 02, 2016 4:48 am

I have been going on an antispam campaign this week. Tightening rules. Now I am putting in new processes and tryingto get ClamAV to "detect more" and get my AV a bit more in order.

I have stumbled onto the below which most will find useful.

This is from a Donation style company called Sane Security. It doesnt mess with your ClamAV core signatures, have any installs etc but adds more "free lists/signature detection/antispam/antimalware" to ClamAV. The cute thing with this is that it is Mail Enable ready. When you look inside the sigupdate.bat it has REM statements for Mail Enable (cool hey).

This to me just made a big difference. My logs are now about 10x bigger and I need to spend less effort on my Spam Assassin and other methods. Downside is that it is another place to check when mail doesnt "make it" but it looks good so far over the past 24 hours. This is what I did and it was very simple.

1. Downloaded the sigupdate zip from Sanesoftware
2. Made a directory called "Sane" in the ME\ClamAV directory
3. Unzipped the sigupdate zip into this "Sane" directory.
4. Downloaded the RSYNC as the readme says
5. Extracted the contents of this into the RSYNC directory (the sigupdate unzip had created this)
6. Had a quick look at the signames.txt and compared to my choices on "http://sanesecurity.com/usage/signatures/"
7. Added a few more items into the signames.txt
8. Ran the sigupdate.bat manually watched it download a few things, say its completed.
9. Checked the ClamAV\db structure and saw all the extra db in there.

I then started looked at my AV logs and bingo more stuff is detected. I threw in a whole list of extra databases into after that.

I then did 10 which was to create an hourly task schedule to run sigupdate.bat

If you find this useful then donate to these guys.


Scott




This is the readme below.
----------------

Sanesecurity downloader v0.8 beta for ClamWin/ClamAV (c) Steve Basford
----------------------------------------------------------------------

Introduction
------------

Sanesecurity signatures are a culmination of hard work and commitment to
provide Third-Party signatures to the web community that are of professional quality.
Signatures are updated serveral times a day and our twitter page reflects that.

########################################################################################
# We are not a company… and producing the signatures and support for the signatures is #
# carried out in our spare time. #
# #
# If you find these add-on signatures useful, please support us by donating: #
# #
# http://sanesecurity.com/donate/ #
########################################################################################

Installation
------------

sigupdate.bat is a simple batch file to download the various databases available
from the Sanesecurity mirrors, mainly for ClamWin use or other command line ClamAV versions
that are available

signames.txt is a list of database names that you wish to you use, selected from the various databases available.

sigupdate.log will be produced each time the sigupdate.bat is run and will show the last download only


1. Rsync
---------

Rsync is needed to download signatures from the Sanesecurity mirrors and
should be located in the winrsync subfolder, within the sigupdate folder.


a. Download Windows Rsync: https://www.itefix.net/content/cwrsync-free-edition

Currently: https://www.itefix.net/dl/cwRsync_5.5.0_x86_Free.zip

b. Open the cwRsync_5.5.0_x86_Free.zip file and then *inside* the cwRsync_5.5.0_x86_Free folder

c. ##### Click *inside* the bin folder ####

d. Now extract ALL contents to the winrsync folder where your sigupdate.bat is located.


2. ClamAV/ClamWin installation
------------------------------

Download locations...

a. ClamWin command line is available from
http://oss.netfarm.it/clamav/

b. ClamWin FULL is availble from:
http://www.clamwin.com/content/view/18/46/

c. *Official* and current versions of command line ClamAV for windows are here:
http://www.clamav.net/downloads#otherversions

3. Configuration
----------------

a. Signatures

Sanesecurity has a large number of databases to choose from, with various levels of False Positive risk:

http://sanesecurity.com/usage/signatures/

Please the signature names you want to use in:

signames.txt

NOTE: the first two lines entries ***MUST** be:

sanesecurity.ftm
sigwhitelist.ign2

Currently the default list should help protect you against malware, macro malware and some spam but
you can add and remove names as you require.

b. If you are using ClamWin the batch file will try to *automatically* find the correct location of your database.
However, if this fails or you are using a different ClamAV version you can *manually* set this.

c. Setup a windows task to run sigupdate.bat hourly


Example ClamWin Summary Setup
-----------------------------

* Rsync should have a winrsync folder as a subdirectory in the folder where the sigupdate.bat file is located, ie.

sigupdate\winrsync\rsync.exe
sigupdate\sigupdate.bat

* C:\Program Files (x86)\ClamWin\ (with Clamwin program and directories)
* C:\Program Files (x86)\ClamWin\sigupdate (with sane sigupdate bat file etc)
* C:\Program Files (x86)\ClamWin\sigupdate\winrsync (with rsync etc)


Thanks
------

Thanks to jimimaseye and Deepak Mhatre for testing and feeback


Trademarks
----------

ClamAV is a registered trademark of Cisco Systems. (C)2015 Cisco

Garre
Posts: 32
Joined: Thu Jun 08, 2006 3:58 pm
Location: Boise, Idaho USA

Re: CLAMAV doesn't seem to be trapping virus

Post by Garre » Mon Apr 04, 2016 7:42 pm

Scott,

Thanks for the information on the SaneSecurity enhancement for ClamAV. I applied the default install and already I am seeing a significant improvement. I will continue to monitor the performance and look at making more database adjustments.

Garre

Post Reply