Virus detection

[geiroc]

I have some issues with the virus detection, running latest EFA version, EFA-3.0.1.5.

According to /var/log/clamav/clamd.log it detects viruses:

Wed Nov 23 00:51:10 2016 -> /var/spool/MailScanner/incoming/2551/6A1E5120251.A64CF/ntax_sokieffe.zip: Sanesecurity.Malware.26461.JsHeur.UNOFFICIAL FOUND

But the e-mails is still passing trough and not marked as having virus on the web admistration:

cav.png (29.68 KiB) Viewed 4726 times

Seems like ClamAV is not letting MailScanner know that the e-mails have viruses? Anyone know a solution to this issue?

[geiroc]

Seems like this was related to the sticky topic above, viewtopic.php?f=13&t=1817

Solution was:

Code: Select all

usermod clam -G mtagroup
usermod clamav -G mtagroup

Not sure if both commands was needed, but it seems like it sorted out the problem.

[geiroc]

Seems like it's still not catching all messages.

According to clamd.log it detects the viruses:

Thu Nov 24 00:11:09 2016 -> /var/spool/MailScanner/incoming/17061/A020D123C45.A4433/nreceipt_graduates.zip: Sanesecurity.Foxhole.Zip_JsNum.v2.UNOFFICIAL FOUND
Thu Nov 24 00:15:55 2016 -> /var/spool/MailScanner/incoming/9439/46653123C45.A65DC/nDSCF1028.zip: Sanesecurity.Malware.26485.JsHeur.UNOFFICIAL FOUND

Webinterface says virus "N", as posted in image in first post.

Is there any other known bug that causes this issue? Not sure how to proceed finding the cause of this.

[shawniverson]

/etc/MailScanner/MailScanner.conf

Code: Select all

# This defines which virus reports from your virus scanners are really the
# names of "spam-viruses" as described in the "Spam-Virus Header" section
# above. This is a space-separated list of strings which can contain "*"
# wildcards to mean "any string of characters", and which will match the
# whole name of the virus reported by your virus scanner. So for example
# "HTML/*" will match all virus names which start with the string "HTML/".
# The supplied example is suitable for F-Prot6 and the SaneSecurity
# databases for ClamAV. The test is case-sensitive.
# This cannot be a ruleset, it must be a simple value as described.
Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish*

[geiroc]

Yay!

Thu Nov 24 00:55:29 2016 -> /var/spool/MailScanner/incoming/2880/72DF31238E5.A1A3B/nreceipt_shuaburman.zip: Sanesecurity.Malware.26490.JsHeur.UNOFFICIAL FOUND
Thu Nov 24 00:55:56 2016 -> /var/spool/MailScanner/incoming/2431/B8D131238E5.AE917/nreceipt_kcox.zip: Sanesecurity.Malware.26490.JsHeur.UNOFFICIAL FOUND
Thu Nov 24 00:56:26 2016 -> /var/spool/MailScanner/incoming/2431/E0FCB1238E5.A5F30/nreceipt_gba.zip: Sanesecurity.Malware.26490.JsHeur.UNOFFICIAL FOUND

Those was just detected now, and blocked.

I just removed "Sane*UNOFFICIAL" from that list. But is it recomended that "HTML/*" and "*Phish*" still is included in that option?