Virus Scanning rule doesnt work

Bugs in eFa 4
Post Reply
nicola.piazzi
Posts: 311
Joined: 23 Apr 2015 09:45

Virus Scanning rule doesnt work

Post by nicola.piazzi » 08 Jan 2021 17:07

Latest eFa

Now i am using for outbound only so i have all messages that i dont want to scan

If i put Virus Scanning = no I see that there is no clamd activity load with top command

If i put Virus Scanning = %rules-dir%/scan.messages.virus.rules i see same activity as Virus Scanning = yes

I configured scan.messages.virus.rules in several modes
From: 10.1.1.126 no
FromOrTo: default yes

smyers119
Posts: 103
Joined: 29 Nov 2019 11:36

Re: Virus Scanning rule doesnt work

Post by smyers119 » 08 Jan 2021 17:37

Did you restart mailscanner after making the changes?

What happens if you do below?

Code: Select all

From: 10.1.1.0/24 no
FromOrTo: default yes

nicola.piazzi
Posts: 311
Joined: 23 Apr 2015 09:45

Re: Virus Scanning rule doesnt work

Post by nicola.piazzi » 11 Jan 2021 08:09

I tried this , only negate in rule file :

vi /etc/MailScanner/rules/scan.messages.virus.rules
FromOrTo: default no

But clamd also run :

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2622 clamscan 20 0 2784356 1.7g 6940 S 23.7 14.7 1:20.26 clamd
1500 mysql 20 0 3496500 184128 19692 S 12.7 1.5 0:04.28 mysqld
4015 postfix 20 0 330656 162976 6644 S 5.0 1.3 0:00.15 MailScanner: ch


Only way to have clamd not running is to negate Virus Scanning with Virus Scanning = no
Using ruleset is impossible

nicola.piazzi
Posts: 311
Joined: 23 Apr 2015 09:45

Re: Virus Scanning rule doesnt work

Post by nicola.piazzi » 11 Jan 2021 16:19

MailScanner version 5.3.4

In MailScanner.Conf i put directive to use default rule file :
Virus Scanning = %rules-dir%/scan.messages.virus.rules

This file contains 10. That is prefix of mailserver that send mail to mailscanner, no other clients are sending mail to this mailscanner at now !
/etc/MailScanner/rules/scan.messages.virus.rules
From: 10. no
FromOrTo: default yes

In this way mailscanner must bypass scanning of email of myserver that is 10.1.1.126
(I tried also “From: 10.1.1.126 no” and I tried also fixed path rule file)

I put clamd to log also clean files and tail to see message working :
/etc/clamd.d/scan.conf
LogClean yes
[root@EFA42 ~]# tail -f /var/log/clamd.scan
/var/spool/MailScanner/incoming/22415/4DDzJb4tmszlfdyn/nmsg-22415-15.txt: OK
/var/spool/MailScanner/incoming/22415/4DDzJb4tmszlfdyn.header: OK
/var/spool/MailScanner/incoming/22415/4DDzJb4tmszlfdyn/nmsg-22415-16.txt: OK
/var/spool/MailScanner/incoming/22415/4DDzJb4tmszlfdyn/nwinmail.dat: OK
Etc etc

As you can see clamd scan incoming mail from 10.1.1.126 ignoiring rule file directives same as putting directly “Virus Scanning = Yes” in MailScanner.Conf
If i put “Virus Scanning = No” clamd bypass correctly every message

nicola.piazzi
Posts: 311
Joined: 23 Apr 2015 09:45

Deep test virus scan rule

Post by nicola.piazzi » 12 Jan 2021 08:55

[In the MailScanner.conf i put Virus Scanning directive so it use a fixed path file so i am sure that is not wrong]
vi /etc/MailScanner/MailScanner.conf
Virus Scanning = /mio/mio.rule

[In the file i put only negate scan by default]
vi /mio/mio.rule
FromOrTo: Default No

[chmod dir and file to ensure access]
chmod 777 /mio;chmod 777 /mio/mio.rule

[restart mailscanner]
systemctl stop mailscanner;sleep 2;systemctl start mailscanner

[but clamd still scan incoming mail]
# tail -f /var/log/clamd.scan
/var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nimage003.png: OK
/var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nimage002.png: OK
/var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nimage006.jpg: OK
/var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nimage004.png: OK
/var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nimage005.png: OK
/var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY.header: OK
/var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nmsg-9751-4.txt: OK
/var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nmsg-9751-6.txt: OK
/var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY/nmsg-9751-5.html: OK
/var/spool/MailScanner/incoming/9751/4DFPPX5htrzlfcMY.message: OK
/var/spool/MailScanner/incoming/9751/4DFPPb6C85zlfdyp/nmsg-9751-7.txt: OK


[The only way to stop clamd scan email is to put "Virus Scanning = No" in MailScanner.conf, Using a rule is the same of "Virus Scanning = Yes", it doesnt watch rule contants]

Post Reply