Email not being delivered - scanned multiple times

Report bugs and workarounds
Post Reply
ashweb
Posts: 13
Joined: 05 Feb 2016 12:17

Email not being delivered - scanned multiple times

Post by ashweb »

We have used EFA for quite some time now with little to no issue however over the last few weeks we have experienced an issue where email gets "backed up" in the mail queue and EFA seems to scan mail multiple times then categorises it as other?

Please see attachment.
Attachments
efa_error.png
efa_error.png (130.15 KiB) Viewed 7718 times
ashweb
Posts: 13
Joined: 05 Feb 2016 12:17

Re: Email not being delivered - scanned multiple times

Post by ashweb »

After a bit more digging it appears that clamd is not running and throwing errors:

[root@mx ~]# clamd
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 497 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 512 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 528 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe"
LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/antidebug_antivm.yar, error count 7
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 65 duplicate identifier "CryptoWall_Resume_phish"
LibClamAV Error: yyerror(): /var/lib/clamav/winnow_malware.yara line 83 duplicate identifier "docx_macro"
LibClamAV Error: cli_loadyara: failed to parse rules file /var/lib/clamav/winnow_malware.yara, error count 2
[root@mx ~]# ps -A | grep clam
[root@mx ~]#

I have removed all of the databases from /var/lib/clamav then run freshclam to update - this downloaded 3 database files.

Overnight however the unofficial signatures were downloaded and the problem returned.

As a work around I have commented out the files listed above in: /etc/clamav-unofficial-sigs/master.conf

MailScanner should stop processing messages when clamd is not running as looking at the logs MailScanner seems to class all emails as viruses and deletes them as per the screenshot above - claiming "Other infection Y and MailScanner: Message attempted to kill MailScanner" :oops:
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Email not being delivered - scanned multiple times

Post by shawniverson »

I agree that mailscanner should be more resilient against that.

unofficial sigs add to the memory overhead, possible you may need to boost the amount of memory in the host (this won't be apparent watching top)
tjg88

Re: Email not being delivered - scanned multiple times

Post by tjg88 »

OP: I'm seeing this too. Was there a fix?
ashweb
Posts: 13
Joined: 05 Feb 2016 12:17

Re: Email not being delivered - scanned multiple times

Post by ashweb »

I did a lot of work to "fix" the issue however an increase of RAM and removal of the signatures as mentioned fixed it.
cardins2u
Posts: 4
Joined: 05 Apr 2016 15:49

Re: Email not being delivered - scanned multiple times

Post by cardins2u »

recently I had this issue.

this post ssaved my life!!!
Lobout
Posts: 3
Joined: 28 Nov 2018 19:43

Re: Email not being delivered - scanned multiple times

Post by Lobout »

I know this is from an old thread, but I can confirm that this issue has come back on build 3.0.2.6. As soon as i upgraded to this build I stopped getting email and clamd would not stay running. The process would start and then just stop. tried cleaning up the databases and running freshclam. Once I reverted back to 3.0.2.5 everything works fine.
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Email not being delivered - scanned multiple times

Post by henk »

As for the mentioned yar(a) errors in this old post, you did read? viewtopic.php?f=13&t=2928&start=25
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Post Reply