Page 1 of 1

Email not being delivered - scanned multiple times

Posted: 10 Jan 2017 13:40
by ashweb
We have used EFA for quite some time now with little to no issue however over the last few weeks we have experienced an issue where email gets "backed up" in the mail queue and EFA seems to scan mail multiple times then categorises it as other?

Please see attachment.

Re: Email not being delivered - scanned multiple times

Posted: 10 Jan 2017 14:00
by ashweb
After a bit more digging it appears that clamd is not running and throwing errors:

[root@mx ~]# clamd
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 65 duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 83 duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/winnow_malware.yara, error count 2
[root@mx ~]# ps -A | grep clam
[root@mx ~]#

I have removed all of the databases from /var/lib/clamav then run freshclam to update - this downloaded 3 database files.

Overnight however the unofficial signatures were downloaded and the problem returned.

As a work around I have commented out the files listed above in: /etc/clamav-unofficial-sigs/master.conf

MailScanner should stop processing messages when clamd is not running as looking at the logs MailScanner seems to class all emails as viruses and deletes them as per the screenshot above - claiming "Other infection Y and MailScanner: Message attempted to kill MailScanner" :oops:

Re: Email not being delivered - scanned multiple times

Posted: 11 Jan 2017 23:19
by shawniverson
I agree that mailscanner should be more resilient against that.

unofficial sigs add to the memory overhead, possible you may need to boost the amount of memory in the host (this won't be apparent watching top)

Re: Email not being delivered - scanned multiple times

Posted: 24 Jan 2017 18:44
by tjg88
OP: I'm seeing this too. Was there a fix?

Re: Email not being delivered - scanned multiple times

Posted: 27 Jan 2017 15:34
by ashweb
I did a lot of work to "fix" the issue however an increase of RAM and removal of the signatures as mentioned fixed it.

Re: Email not being delivered - scanned multiple times

Posted: 28 Nov 2018 08:12
by cardins2u
recently I had this issue.

this post ssaved my life!!!

Re: Email not being delivered - scanned multiple times

Posted: 28 Nov 2018 19:53
by Lobout
I know this is from an old thread, but I can confirm that this issue has come back on build 3.0.2.6. As soon as i upgraded to this build I stopped getting email and clamd would not stay running. The process would start and then just stop. tried cleaning up the databases and running freshclam. Once I reverted back to 3.0.2.5 everything works fine.

Re: Email not being delivered - scanned multiple times

Posted: 28 Nov 2018 23:58
by henk
As for the mentioned yar(a) errors in this old post, you did read? viewtopic.php?f=13&t=2928&start=25