Email not being delivered - scanned multiple times

Report bugs and workarounds
Post Reply
ashweb
Posts: 12
Joined: 05 Feb 2016 12:17

Email not being delivered - scanned multiple times

Post by ashweb » 10 Jan 2017 13:40

We have used EFA for quite some time now with little to no issue however over the last few weeks we have experienced an issue where email gets "backed up" in the mail queue and EFA seems to scan mail multiple times then categorises it as other?

Please see attachment.
Attachments
efa_error.png
efa_error.png (130.15 KiB) Viewed 2157 times

ashweb
Posts: 12
Joined: 05 Feb 2016 12:17

Re: Email not being delivered - scanned multiple times

Post by ashweb » 10 Jan 2017 14:00

After a bit more digging it appears that clamd is not running and throwing errors:

[root@mx ~]# clamd
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 65 duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 83 duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/winnow_malware.yara, error count 2
[root@mx ~]# ps -A | grep clam
[root@mx ~]#

I have removed all of the databases from /var/lib/clamav then run freshclam to update - this downloaded 3 database files.

Overnight however the unofficial signatures were downloaded and the problem returned.

As a work around I have commented out the files listed above in: /etc/clamav-unofficial-sigs/master.conf

MailScanner should stop processing messages when clamd is not running as looking at the logs MailScanner seems to class all emails as viruses and deletes them as per the screenshot above - claiming "Other infection Y and MailScanner: Message attempted to kill MailScanner" :oops:

User avatar
shawniverson
Posts: 2761
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: Email not being delivered - scanned multiple times

Post by shawniverson » 11 Jan 2017 23:19

I agree that mailscanner should be more resilient against that.

unofficial sigs add to the memory overhead, possible you may need to boost the amount of memory in the host (this won't be apparent watching top)
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

tjg88
Posts: 41
Joined: 24 Jan 2014 18:37

Re: Email not being delivered - scanned multiple times

Post by tjg88 » 24 Jan 2017 18:44

OP: I'm seeing this too. Was there a fix?

ashweb
Posts: 12
Joined: 05 Feb 2016 12:17

Re: Email not being delivered - scanned multiple times

Post by ashweb » 27 Jan 2017 15:34

I did a lot of work to "fix" the issue however an increase of RAM and removal of the signatures as mentioned fixed it.

cardins2u
Posts: 4
Joined: 05 Apr 2016 15:49

Re: Email not being delivered - scanned multiple times

Post by cardins2u » 28 Nov 2018 08:12

recently I had this issue.

this post ssaved my life!!!

Lobout
Posts: 1
Joined: 28 Nov 2018 19:43

Re: Email not being delivered - scanned multiple times

Post by Lobout » 28 Nov 2018 19:53

I know this is from an old thread, but I can confirm that this issue has come back on build 3.0.2.6. As soon as i upgraded to this build I stopped getting email and clamd would not stay running. The process would start and then just stop. tried cleaning up the databases and running freshclam. Once I reverted back to 3.0.2.5 everything works fine.

henk
Posts: 355
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Email not being delivered - scanned multiple times

Post by henk » 28 Nov 2018 23:58

As for the mentioned yar(a) errors in this old post, you did read? viewtopic.php?f=13&t=2928&start=25

Post Reply