Virus Scanning: Denial Of Service attack detected!

Bugs in eFa 4
pingu
Posts: 7
Joined: 10 Dec 2020 08:07

Re: Virus Scanning: Denial Of Service attack detected!

Post by pingu » 12 Feb 2021 11:18

Now I'm not sure what the issue really is...

I was observing my Efa-server about 30 minutes ago. I saw that the 'Milter Inbound' queue kept going up but nothing was being processed.
The 'per-minute traffic' graph totally flat lined.

I know that traffic was being sent to the Efa-server from another SMTP GW. So the traffic never stopped going to the Efa-server.

Yesterday I added an extra 10GB (40gb total) to the server and increased the child procs on Mailscanner. However, it still seems to "hang".

This is what it looked like:
Mail Queues
Milter Inbound:
251
Milter Outbound:
0
Postfix Inbound:
0
Postfix Outbound:
1314



A few logs:

Code: Select all

Feb 12 02:56:08 sc01 php[428463]: #3 /usr/bin/mailwatch/tools/Postfix_relay/mailwatch_postfix_relay.php(97): MtaLogProcessor->doit('cat /var/log/ma...')
Feb 12 02:56:08 sc01 php[428463]: #4 {main}
Feb 12 02:56:08 sc01 php[428463]:  thrown in /var/www/html/mailscanner/functions.php on line 1047
Feb 12 02:56:08 sc01 php[428463]: cat: write error: Broken pipe
Feb 12 02:56:08 sc01 systemd[1]: postfix_relay.service: Main process exited, code=exited, status=255/n/a
Feb 12 02:56:08 sc01 systemd[1]: postfix_relay.service: Failed with result 'exit-code'.
Feb 12 02:56:08 sc01 systemd[1]: postfix_relay.service: Service RestartSec=100ms expired, scheduling restart.
Feb 12 02:56:08 sc01 systemd[1]: postfix_relay.service: Scheduled restart job, restart counter is at 161.
Feb 12 02:56:08 sc01 systemd[1]: Stopped Postfix relay service for MailWatch.
Feb 12 02:56:08 sc01 systemd[1]: Started Postfix relay service for MailWatch.

Mysql stats at the time:

Code: Select all

+--------+-------------+-----------+-------------+---------+------+--------------------------+------------------------------------------------------------------------------------------------------+----------+
| Id     | User        | Host      | db          | Command | Time | State                    | Info                                                                                                 | Progress |
+--------+-------------+-----------+-------------+---------+------+--------------------------+------------------------------------------------------------------------------------------------------+----------+
| 1      | system user |           |             | Daemon  |      | InnoDB purge coordinator |                                                                                                      | 0.000    |
| 2      | system user |           |             | Daemon  |      | InnoDB purge worker      |                                                                                                      | 0.000    |
| 3      | system user |           |             | Daemon  |      | InnoDB purge worker      |                                                                                                      | 0.000    |
| 4      | system user |           |             | Daemon  |      | InnoDB purge worker      |                                                                                                      | 0.000    |
| 5      | system user |           |             | Daemon  |      | InnoDB shutdown handler  |                                                                                                      | 0.000    |
| 17     | mailwatch   | localhost | mailscanner | Sleep   | 1    |                          |                                                                                                      | 0.000    |
| 109524 | mailwatch   | localhost | mailscanner | Query   | 0    | Commit                   | REPLACE INTO mtalog (`timestamp`,`host`,`type`,`msg_id`,`relay`,`dsn`,`status`,`delay`) VALUES (FROM | 0.000    |
| 109845 | root        | localhost |             | Query   | 0    | Init                     | show processlist                                                                                     | 0.000    |
+--------+-------------+-----------+-------------+---------+------+--------------------------+------------------------------------------------------------------------------------------------------+----------+

Maillog:

Code: Select all

Feb 12 03:04:28 sc01 postfix/smtp[2243]: connect to nds.g.fedex.com[204.135.226.228]:25: Connection timed out
Feb 12 03:04:28 sc01 postfix/smtp[2255]: connect to nds.g.fedex.com[204.135.226.228]:25: Connection timed out
Feb 12 03:04:28 sc01 postfix/smtp[2252]: connect to nds.g.fedex.com[204.135.227.123]:25: Connection timed out
Feb 12 03:04:28 sc01 postfix/smtp[2251]: connect to nds.g.fedex.com[204.135.226.227]:25: Connection timed out
Feb 12 03:04:28 sc01 postfix/smtp[2227]: connect to mx04.movistar.com.ar[200.49.206.138]:25: Connection timed out
Feb 12 03:04:28 sc01 postfix/smtp[2230]: connect to mx03.movistar.com.ar[200.49.206.137]:25: Connection timed out
Feb 12 03:04:30 sc01 postfix/smtp[2234]: connect to nds.g.fedex.com[204.135.227.124]:25: Connection timed out
Feb 12 03:04:30 sc01 postfix/smtp[2239]: connect to mx3.mms.optus.com.au[61.88.190.23]:25: Connection timed out
Feb 12 03:04:30 sc01 postfix/smtp[2245]: connect to mx3.mms.optus.com.au[61.88.190.23]:25: Connection timed out
Feb 12 03:04:30 sc01 postfix/smtp[2236]: connect to gmaiil.com[208.73.210.217]:25: Connection timed out
Feb 12 03:04:30 sc01 postfix/smtp[2248]: connect to nds.g.fedex.com[204.135.227.123]:25: Connection timed out

I rebooted the system, waiting about 10 minutes and the email finally left the 'Milter Inbound' queue.

Any ideas on where I can look next, or what might be causing this?

nicola.piazzi
Posts: 372
Joined: 23 Apr 2015 09:45

Re: Virus Scanning: Denial Of Service attack detected!

Post by nicola.piazzi » 15 Feb 2021 08:28

To find problem we can use
grep "Denial of Service" /var/log/maillog
Now my log is clean of there errors becouse i used no unofficial for this weekend

Now i started with a limited sets of unofficial db and monitor for error to find offending db using my traffic

this is my forst test package


[root@EFA42 clamav]# clamscan --debug 2>&1 /dev/null | grep "loaded"
LibClamAV debug: /var/lib/clamav/securiteinfo.ign2 loaded
LibClamAV debug: daily.info loaded
LibClamAV debug: daily.cfg loaded
LibClamAV debug: daily.hsb loaded
LibClamAV debug: daily.msb loaded
LibClamAV debug: daily.ndb loaded
LibClamAV debug: daily.idb loaded
LibClamAV debug: daily.fp loaded
LibClamAV debug: daily.sfp loaded
LibClamAV debug: daily.pdb loaded
LibClamAV debug: daily.wdb loaded
LibClamAV debug: daily.crb loaded
LibClamAV debug: daily.cdb loaded
LibClamAV debug: cli_loadftm: File type signature for PNG not loaded (required f-level: 122)
LibClamAV debug: cli_loadftm: File type signature for GIF not loaded (required f-level: 122)
LibClamAV debug: cli_loadftm: File type signature for JPEG not loaded (required f-level: 122)
LibClamAV debug: cli_loadftm: File type signature for TIFF Little Endian not loaded (required f-level: 122)
LibClamAV debug: cli_loadftm: File type signature for TIFF Big Endian not loaded (required f-level: 122)
LibClamAV debug: daily.ftm loaded
LibClamAV debug: daily.mdb loaded
LibClamAV debug: daily.ign loaded
LibClamAV debug: daily.ign2 loaded
LibClamAV debug: daily.hdb loaded
LibClamAV debug: daily.ldb loaded
LibClamAV debug: /var/lib/clamav/daily.cld loaded
LibClamAV debug: main.info loaded
LibClamAV debug: main.hdb loaded
LibClamAV debug: main.hsb loaded
LibClamAV debug: main.mdb loaded
LibClamAV debug: main.msb loaded
LibClamAV debug: main.ndb loaded
LibClamAV debug: main.fp loaded
LibClamAV debug: main.sfp loaded
LibClamAV debug: main.crb loaded
LibClamAV debug: /var/lib/clamav/main.cvd loaded
LibClamAV debug: bytecode.info loaded
LibClamAV debug: /var/lib/clamav/bytecode.cvd loaded
LibClamAV debug: /var/lib/clamav/securiteinfoascii.hdb loaded
LibClamAV debug: /var/lib/clamav/securiteinfopdf.hdb loaded
LibClamAV debug: /var/lib/clamav/securiteinfo.hdb loaded
LibClamAV debug: /var/lib/clamav/securiteinfoandroid.hdb loaded
LibClamAV debug: /var/lib/clamav/securiteinfohtml.hdb loaded
LibClamAV debug: /var/lib/clamav/securiteinfoold.hdb loaded
LibClamAV debug: /var/lib/clamav/javascript.ndb loaded
LibClamAV debug: /var/lib/clamav/spam_marketing.ndb loaded


Loaded 12827668 signatures.

nicola.piazzi
Posts: 372
Joined: 23 Apr 2015 09:45

Re: Virus Scanning: Denial Of Service attack detected!

Post by nicola.piazzi » 15 Feb 2021 16:22

I still have NO problem (grep "Denial of Service" /var/log/maillog at 0)
I au using databases from this full default list



-rw-r--r-- 1 clamupdate clamupdate 98869 Feb 9 08:47 badmacro.ndb
-rw-r--r-- 1 clamupdate clamupdate 476644 Feb 14 21:08 blurl.ndb
-rw-r--r--. 1 clamupdate clamupdate 3448 Feb 2 10:04 bofhland_cracked_URL.ndb
-rw-r--r--. 1 clamupdate clamupdate 106247 Feb 2 10:04 bofhland_malware_attach.hdb
-rw-r--r--. 1 clamupdate clamupdate 610 Feb 2 10:04 bofhland_malware_URL.ndb
-rw-r--r--. 1 clamupdate clamupdate 9676 Feb 2 10:04 bofhland_phishing_URL.ndb

-rw-r--r--. 1 clamupdate clamupdate 296388 Feb 2 10:56 bytecode.cvd
-rw-r--r-- 1 clamupdate clamupdate 329465344 Feb 14 18:33 daily.cld

-rw-r--r--. 1 clamupdate clamupdate 226541 Oct 15 10:11 foxhole_filename.cdb
-rw-r--r--. 1 clamupdate clamupdate 51865 Sep 11 12:09 foxhole_generic.cdb
-rw-r--r--. 1 clamupdate clamupdate 3888 Aug 18 2017 foxhole_js.cdb
-rw-r--r--. 1 clamupdate clamupdate 230 Nov 21 2016 foxhole_js.ndb

-rw-r--r--. 1 clamupdate clamupdate 48176 Aug 5 2015 hackingteam.hsb
-rw-r--r--. 1 clamupdate clamupdate 3336651 Feb 1 19:22 interserver256.hdb
-rw-r--r--. 1 clamupdate clamupdate 121277 Feb 1 19:28 interservertopline.db

-rw-r--r--. 1 clamupdate clamupdate 15697989 Feb 2 15:14 javascript.ndb
-rw-r--r-- 1 clamupdate clamupdate 7512745 Feb 12 10:08 junk.ndb
-rw-r--r-- 1 clamupdate clamupdate 224394 Feb 15 06:09 jurlbla.ndb
-rw-r--r-- 1 clamupdate clamupdate 349119 Feb 15 00:08 jurlbl.ndb

-rw-r--r--. 1 clamupdate clamupdate 245189 Oct 3 2019 lott.ndb
-rw-r--r--. 1 clamupdate clamupdate 117859675 Feb 2 10:56 main.cvd
-rw-r--r--. 1 clamupdate clamupdate 73808 Jun 29 2017 malwarehash.hsb
-rw-r--r-- 1 clamupdate clamupdate 102990 Feb 12 16:29 malwarepatrol.db

-rw-r--r--. 1 clamupdate clamupdate 599208 Feb 2 10:07 MiscreantPunch099-Low.ldb
-rw-r--r-- 1 clamupdate clamupdate 4141430 Feb 9 17:06 phish.ndb
-rw-r--r-- 1 clamupdate clamupdate 1488153 Feb 15 06:00 phishtank.ndb
-rw-r--r-- 1 clamupdate clamupdate 9043 Feb 15 03:00 porcupine.hsb
-rw-r--r-- 1 clamupdate clamupdate 640354 Feb 15 06:00 porcupine.ndb
-rw-r--r--. 1 clamupdate clamupdate 865676 Feb 1 07:13 rfxn.hdb
-rw-r--r--. 1 clamupdate clamupdate 451958 Feb 1 07:11 rfxn.ndb
-rw-r--r--. 1 clamupdate clamupdate 410441 Aug 17 15:11 rfxn.yara
-rw-r--r-- 1 clamupdate clamupdate 61744 Feb 15 01:09 rogue.hdb

-rw-r--r--. 1 clamupdate clamupdate 11098 Oct 18 2016 sanesecurity.ftm
-rw-r--r--. 1 clamupdate clamupdate 1462 Jul 1 2015 Sanesecurity_sigtest.yara
-rw-r--r--. 1 clamupdate clamupdate 1233 Feb 22 2016 Sanesecurity_spam.yara

-rw-r--r--. 1 clamupdate clamupdate 108 Nov 16 10:09 scamnailer.ndb
-rw-r--r--. 1 clamupdate clamupdate 1926133 Jan 19 21:09 scam.ndb
-rw-r--r--. 1 clamupdate clamupdate 7646557 Feb 2 15:14 securiteinfoandroid.hdb
-rw-r--r-- 1 clamupdate clamupdate 7892996 Feb 15 06:34 securiteinfoascii.hdb
-rw-r--r-- 1 clamupdate clamupdate 13343136 Feb 15 08:34 securiteinfo.hdb
-rw-r--r-- 1 clamupdate clamupdate 6229958 Feb 15 06:34 securiteinfohtml.hdb
-rw-r--r--. 1 clamupdate clamupdate 5084 Feb 2 15:13 securiteinfo.ign2
-rw-r--r--. 1 clamupdate clamupdate 313759283 Feb 2 15:14 securiteinfoold.hdb
-rw-r--r--. 1 clamupdate clamupdate 281588 Feb 2 15:15 securiteinfopdf.hdb
-rw-r--r--. 1 clamupdate clamupdate 7331 Dec 31 14:11 shelter.ldb
-rw-r--r--. 1 clamupdate clamupdate 285 Jan 4 14:08 sigwhitelist.ign2
-rw-r--r--. 1 clamupdate clamupdate 1391 Apr 28 2017 spamattach.hdb
-rw-r--r--. 1 clamupdate clamupdate 19212 Nov 6 10:12 spamimg.hdb

-rw-r--r--. 1 clamupdate clamupdate 556 May 5 2017 spam.ldb
-rw-r--r-- 1 clamupdate clamupdate 1982139 Feb 15 08:34 spam_marketing.ndb
-rw-r--r--. 1 clamupdate clamupdate 115 Nov 27 2018 spearl.ndb
-rw-r--r--. 1 clamupdate clamupdate 115 Feb 2 10:07 spear.ndb
-rw-r--r-- 1 clamupdate clamupdate 1004405 Feb 15 07:52 urlhaus.ndb
-rw-r--r--. 1 clamupdate clamupdate 174317 Feb 1 19:29 whitelist.fp
-rw-r--r--. 1 clamupdate clamupdate 14825 Jul 16 2018 winnow.attachments.hdb
-rw-r--r--. 1 clamupdate clamupdate 66 Mar 5 2018 winnow_bad_cw.hdb
-rw-r--r--. 1 clamupdate clamupdate 660 Mar 5 2018 winnow.complex.patterns.ldb
-rw-r--r--. 1 clamupdate clamupdate 16271 Mar 5 2018 winnow_extended_malware.hdb
-rw-r--r--. 1 clamupdate clamupdate 159 Mar 5 2018 winnow_extended_malware_links.ndb
-rw-r--r--. 1 clamupdate clamupdate 18189 Mar 5 2018 winnow_malware.hdb
-rw-r--r--. 1 clamupdate clamupdate 14709 Nov 26 2019 winnow_malware_links.ndb
-rw-r--r--. 1 clamupdate clamupdate 6577 Nov 13 2018 winnow_phish_complete_url.ndb
-rw-r--r--. 1 clamupdate clamupdate 2768 Nov 14 2018 winnow_spam_complete.ndb

nicola.piazzi
Posts: 372
Joined: 23 Apr 2015 09:45

Re: Virus Scanning: Denial Of Service attack detected!

Post by nicola.piazzi » 16 Feb 2021 09:37

I get this morning :
Feb 16 10:04:08 EFA42 MailScanner[470406]: Viruses marked as silent: Denial of Service attack in message!

Now i try disabling yara rules that i suspect and wait ....
enable_yararules="no"
/usr/sbin/clamav-unofficial-sigs.sh
Removing unused file: /var/lib/clamav-unofficial-sigs/dbs-ss/Sanesecurity_sigtest.yara
Removing unused file: /var/lib/clamav/Sanesecurity_sigtest.yara
Removing unused file: /var/lib/clamav-unofficial-sigs/dbs-ss/Sanesecurity_spam.yara
Removing unused file: /var/lib/clamav/Sanesecurity_spam.yara
Removing unused file: /var/lib/clamav-unofficial-sigs/dbs-lmd/rfxn.yara
Removing unused file: /var/lib/clamav/rfxn.yara

User avatar
shawniverson
Posts: 3398
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Virus Scanning: Denial Of Service attack detected!

Post by shawniverson » 16 Feb 2021 14:02

Great work! Keep us posted, eager to make adjustments needed for everyone's sake.

nicola.piazzi
Posts: 372
Joined: 23 Apr 2015 09:45

Re: Virus Scanning: Denial Of Service attack detected!

Post by nicola.piazzi » 16 Feb 2021 14:58

I put enable_yararules="no" 6 hours ago and i have no more denyes
6 hours are not enough but i am confident that can be yara problem

consider that when it give the problem cpu of clam goes at more than 100%

nicola.piazzi
Posts: 372
Joined: 23 Apr 2015 09:45

Re: Virus Scanning: Denial Of Service attack detected!

Post by nicola.piazzi » 17 Feb 2021 07:33

with enable_yararules="yes" i got a "Viruses marked as silent: Denial of Service attack in message!" yesterday
with enable_yararules="no" i have no more messages for 24h

i think that problem is yara but i dont know what yara database is involved,
These are yaras rmoved by the flag :
Removing unused file: /var/lib/clamav-unofficial-sigs/dbs-ss/Sanesecurity_sigtest.yara
Removing unused file: /var/lib/clamav/Sanesecurity_sigtest.yara
Removing unused file: /var/lib/clamav-unofficial-sigs/dbs-ss/Sanesecurity_spam.yara
Removing unused file: /var/lib/clamav/Sanesecurity_spam.yara
Removing unused file: /var/lib/clamav-unofficial-sigs/dbs-lmd/rfxn.yara
Removing unused file: /var/lib/clamav/rfxn.yara

In my install i stay with yara removed

User avatar
shawniverson
Posts: 3398
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Virus Scanning: Denial Of Service attack detected!

Post by shawniverson » 17 Feb 2021 10:19

I'm going to disable yara in the next update then with that directive.

nicola.piazzi
Posts: 372
Joined: 23 Apr 2015 09:45

Re: Virus Scanning: Denial Of Service attack detected!

Post by nicola.piazzi » 18 Feb 2021 07:56

no more problems after YARA disabling .....

[root@EFA42 spamassassin]# grep "Denial of Service" /var/log/maillog
Feb 16 10:04:08 EFA42 MailScanner[470406]: Viruses marked as silent: Denial of Service attack in message!

User avatar
shawniverson
Posts: 3398
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Virus Scanning: Denial Of Service attack detected!

Post by shawniverson » 20 Feb 2021 00:55

I'm going to disable then in the next update.

Citabria79
Posts: 22
Joined: 02 Mar 2019 17:04

Re: Virus Scanning: Denial Of Service attack detected!

Post by Citabria79 » 12 Mar 2021 16:19

Where did you put the with enable_yararules="no" exactly? Still appear to have the same issue.

User avatar
shawniverson
Posts: 3398
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Virus Scanning: Denial Of Service attack detected!

Post by shawniverson » 13 Mar 2021 15:03

/etc/clamav-unofficial-sigs/master.conf

Citabria79
Posts: 22
Joined: 02 Mar 2019 17:04

Re: Virus Scanning: Denial Of Service attack detected!

Post by Citabria79 » 13 Mar 2021 21:06

shawniverson wrote:
13 Mar 2021 15:03
/etc/clamav-unofficial-sigs/master.conf
Thanks!

trident
Posts: 2
Joined: 28 Feb 2020 19:50

Re: Virus Scanning: Denial Of Service attack detected!

Post by trident » 28 Mar 2021 18:27

I did the the change disable yara
it a lot better but i did get two email that denial of service.
this time am no worry about them but still worry if it happen to many time on emails i need

what do i need to change in mailscanner.conf to save silent viruses in order to quarantine.
think if i got that i be happy then
thanks#
Trident

ericcox
Posts: 3
Joined: 01 Apr 2021 20:00

Re: Virus Scanning: Denial Of Service attack detected!

Post by ericcox » 02 Apr 2021 20:01

I ran into this problem about the same time as OP, and I found that Clamav simply didn't have enough memory to work with. I noticed that sometimes it would have a problem with a test attachment (an empty zip file), but then I would send the same attachment through it an hour later, and it was fine. I think the problem came about because I had barely enough RAM to run Clamav properly, and when Clamav updated its virus definitions, suddenly it hit a hard limit which slowed it down dramatically. When Mailscanner times out while waiting for Clamav, it assumes it has crashed, and the most likely and safest assumption is a DOS attack.

Switching to a VM with twice the memory fixed it right away.

Post Reply