Scalix Forums


http://www.scalix.com/forums/

Testing ClamAV Email Scan

http://www.scalix.com/forums/viewtopic.php?f=2&t=2101

Page 1 of 2

Testing ClamAV Email Scan

Posted: Mon Apr 17, 2006 10:17 am
by DuckSmak
Hello! I'm brand new to Linux, and have been using the forums to work my way through the setups. I have the following installed:

Suse Linux 10.0
ClamAV 0.88-0.1

I downloaded the test virus "clam.exe" and sent it through the Scalix email server. There was no denial, and the email went through with no problems.

Based on what I've seen in the forums, this file should be rejected by the server. The scanner seems like it working, unless I'm missing something. When running clamdscan in the console, the following appears:

srv1:/var/opt/scalix/data/0000001 # clamdscan *
/var/opt/scalix/data/0000001/000010g: OK
/var/opt/scalix/data/0000001/000010i: OK
/var/opt/scalix/data/0000001/000010j: OK
/var/opt/scalix/data/0000001/000010k: OK
/var/opt/scalix/data/0000001/000010l: OK
/var/opt/scalix/data/0000001/000010m: OK
/var/opt/scalix/data/0000001/000010n: OK
/var/opt/scalix/data/0000001/000010o: OK
/var/opt/scalix/data/0000001/000010p: OK
/var/opt/scalix/data/0000001/000010q: OK
/var/opt/scalix/data/0000001/0000120: OK
/var/opt/scalix/data/0000001/0000121: OK
/var/opt/scalix/data/0000001/0000122: OK
/var/opt/scalix/data/0000001/0000123: OK
/var/opt/scalix/data/0000001/0000151: OK
/var/opt/scalix/data/0000001/0000152: OK
/var/opt/scalix/data/0000001/0000153: OK
/var/opt/scalix/data/0000001/0000154: OK
/var/opt/scalix/data/0000001/00001a0: OK
/var/opt/scalix/data/0000001/00001a1: OK
/var/opt/scalix/data/0000001/00001a2: OK
/var/opt/scalix/data/0000001/00001a3: OK
/var/opt/scalix/data/0000001/00001dh: OK
/var/opt/scalix/data/0000001/00001di: OK
/var/opt/scalix/data/0000001/00001dj: OK
/var/opt/scalix/data/0000001/00001dl: OK
/var/opt/scalix/data/0000001/00001dm: OK
/var/opt/scalix/data/0000001/00001dn: OK
/var/opt/scalix/data/0000001/00001dp: OK
/var/opt/scalix/data/0000001/00001dq: OK
/var/opt/scalix/data/0000001/00001dr: OK
/var/opt/scalix/data/0000001/00001ds: OK
/var/opt/scalix/data/0000001/00001dt: ClamAV-Test-File FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.175 sec (0 m 0 s)
srv1:/var/opt/scalix/data/0000001 # clamdscan
/var/opt/scalix/data/0000001/00001dt: ClamAV-Test-File FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.752 sec (0 m 0 s)
srv1:/var/opt/scalix/data/0000001 #




As far as I can see, this is finding the file as a virus, and yet when sent in an email, it passes through with no issues.

Please let me know what my next step should be with regards to making sure the scanner will stop viruses. Also, is there anymore software for virus/adware/malware prevention that I should install on this server?

Thanks

Posted: Mon Apr 17, 2006 10:38 am
by ScalixSupport
This is likely to be a false positive because of the way that we store some binary information in the message store. For this reason, we don't advise running this against the message store.

Cheers

Dave

Posted: Mon Apr 17, 2006 10:57 am
by DuckSmak
Thanks Dave...

I am not planning on continually running this against the message store. It was just a test to make sure the virus was found. What further do I have to do in order to make sure that all incoming and outgoing email is scanned? When "clam.exe" is sent through email, it is not rejected by the server. I tested this through 2 of the local email accounts.

Thanks

Posted: Mon Apr 17, 2006 11:00 am
by ScalixSupport
That sounds like virus scanning is not configured to run correctly.

The presence of the file ALL-ROUTES.VIR tells the service router that virus scanning is configured and, at that point, there will be some checks to see that the environment is correct, i.e. clamav can scan a scalix-owned file.

Is it possible that you don't have that file present or the permissions are incorrect or that omvscan.map is not executable etc. ?

Cheers

Dave

Posted: Tue Apr 18, 2006 11:19 am
by DuckSmak
Ok...I have the AV running, and everything looks good. This is what's happening now....

I can send the "clam.exe" test file with no problems. When I send it, I view the "audit" file and it shows the log:

routing
time 1145372099 Tue Apr 18 10:54:59 2006 -240
type 0 message
priority 0 normal
sensitivity 0 normal
importance 0 normal
created-locally 0

Why is this not catching it as a virus?

Thanks

Posted: Tue Apr 18, 2006 11:24 am
by ScalixSupport
Can you confirm the details that I posted in the previous post ?

What are the permissions on the files in /var/opt/scalix/rules ?

The audit log you are showing me indicates that the Service Router doesn't think that AV is configured. Did you restart the router after making the config changes ?

Cheers

Dave

Posted: Tue Apr 18, 2006 11:52 am
by DuckSmak
The file "all-routes.vir" does exist in the needed directory (/var/opt/scalix/rules/). These are the contents:

(all-routes.vir):
-----------------------------------------------------------------
VIRUS-UNCLEANED=1 ACTION=REJECT NDN-INFO=!ndninfo.txt
VIRUS-UNCLEANED=0 VIRUS-FOUND=1 ACTION=ALLOW NOTIFY="A virus was fuond in your message. It was
successfully cleaned and sent to the recipient. However we highly recommend that you install or
update your virus protection software and scan your computer for viruses."
------------------------------------------------------------------
The file permissions are:

Owner - Read and Write
Group - Read
Others - Read

All files in /var/opt/scalix/rules have the same permissions except for the "omvscan.map", which only has "read" for all settings.

I followed some instructions in a PDF document from the Scalix Knowledgbase entitled "Configuring ClamAV in a Scalix Environment (126746)" and completed the following steps:
------------------------------------------------------------------
5.2.3. Copy and Modify the omvscan.map File
Copy the omvscan.map file from /opt/scalix/examples/general to /var/opt/scalix/rules and insure that the file is owned by
root and has the permissions set to 555.
cp /opt/scalix/examples/general/omvscan.map /var/opt/scalix/rules

chown root omvscan.map
chmod 555 omvscan.map

6. Testing
Turn up audit logging for service router:

omconfaud router 13

Turn up debug logging for service router
omconflvl router 15

Stop/restart service router

omoff -d 0 rtr
omon rtr
--------------------------------------------------------------------------------

I then sent the test email, checked the "audit" log, and replied to you once more.

See something I need to change?

Thanks

Posted: Tue Apr 18, 2006 12:48 pm
by ScalixSupport
OK. The problem is case-sensitivity. I put ALL-ROUTES.VIR in caps because that's what it needs to be called.

You seem to have it in lower case.

Cheers

Dave

Posted: Wed Apr 19, 2006 8:42 am
by DuckSmak
I renamed the "all-routes.vir" to "ALL-ROUTES.VIR", restarted the service through the console, and the email was still sent through with no problems. The audit file shows the email transfer (tested multiple times between a user and the Admin login). Since you mentioned it was case sensitive, and the first rename did nothing, I then renamed all files in the "/var/opt/scalix/rules/" dir to CAPS and tested the email transfer again. Same outcome. I don't know if renaming all the "/var/opt/scalix/rules/" files to CAPS is advisible or not, so let me know if I should change them all back (except for ALLROUTES.VIR), or if they are ok in CAPS.

Please let me know what further troubleshooting I have to do to get this working. I appreciate all your help.

Thanks

Posted: Wed Apr 19, 2006 10:48 am
by ScalixSupport
Please can you post a directory listing of /var/opt/scalix/rules showing the permissions and ownership of each file.

Also, can you post the contents of ALL-ROUTES.VIR

Cheers

Dave

Posted: Wed Apr 19, 2006 11:40 am
by DuckSmak
Directory listing of /var/opt/scalix/rules:
------------------------------------------------------------------

"ALL-ROUTES.VIR"

Permissions -
Owner: Read and Write
Group: Read
Others: Read

Ownership -
User: root
Group: root
------------------------------------------------------------------
"ALL-ROUTES.VIR~" (backup)

Permissions -
Owner: Read and Write
Group: Read
Others: Read

Ownership -
User: root
Group: root
------------------------------------------------------------------
"NDNINFO.TXT"

Permissions -
Owner: Read and Write
Group: Read
Others: Read

Ownership -
User: root
Group: root
------------------------------------------------------------------
"NDNINFO.TXT~" (backup)

Permissions -
Owner: Read and Write
Group: Read
Others: Read

Ownership -
User: root
Group: root
------------------------------------------------------------------
"OMVSCAN.MAP" (checked as "is executable")

Permissions -
Owner: Read + Execute
Group: Read + Execute
Others: Read + Execute

Ownership -
User: root
Group: root
------------------------------------------------------------------

CONTENTS OF "ALL-ROUTES.VIR" FILE:

VIRUS-UNCLEANED=1 ACTION=REJECT NDN-INFO=!ndninfo.txt
VIRUS-UNCLEANED=0 VIRUS-FOUND=1 ACTION=ALLOW NOTIFY="A virus was fuond in your message. It was
successfully cleaned and sent to the recipient. However we highly recommend that you install or
update your virus protection software and scan your computer for viruses."

Posted: Wed Apr 19, 2006 11:57 am
by ScalixSupport
A simple "ls -l" would have done :-)

You need to rename all the files back to their original cases, i.e everything except ALL-ROUTES.VIR needs to be lower case.

The problem is that the last 2 lines of the ALL-ROUTES.VIR file need to be on the same line as the VIRUS-UNCLEANED line. If you run the command

Code: Select all

omshowlog -s router
you should see some errors explaining that the file contains a syntax error.

However, the settings you have are not recommended. A very large percentage of spam messages come from spoofed and/or non-existent addresses so we do not advise sending any reply back. The settings you want to put into ALL-ROUTES.VIR should be:

Code: Select all

VIRUS-UNCLEANED=1 ACTION=DISCARD
VIRUS-UNCLEANED=0 VIRUS-FOUND=1 ACTION=ALLOW


Cheers

Dave

Posted: Wed Apr 19, 2006 12:25 pm
by DuckSmak
Dave,
I have edited the files per your suggestions. When I run your command in the console, this is the output:

----------------------------------------------------------------
srv1:/var/opt/scalix/rules # omshowlog -s router

WARNING Service Router(Service Router) 04.19.06 07:58:33
[OM 5150] WARNING - Error encountered processing rule file:
/var/opt/scalix/rules/ALL-ROUTES.VIR


WARNING Service Router(Service Router) 04.19.06 07:58:33
[OM 5152] Error on line 3: Unknown token or syntax error


WARNING Service Router(Service Router) 04.19.06 08:05:14
[SYS 2] No such file or directory
File Name: /var/opt/scalix/rules/ndninfo.txt
<- sdl_MapStdCharInt
<- sdl_MapSysChar
-> sdl_MapSysChar
-> sdl_InitData
-> sdl_MapStdCharInt
-> sdl_InitData
<- sdl_MapStdCharInt
<- sdl_MapSysChar
<- cvc_CmpCS
-> cvc_GetOutString
<- cvc_GetOutString
<- cvc_ConvertString2
-> rsl_ParseNdnInfo
-> rsl_FormFullRulePath
<- rsl_FormFullRulePath
<- /build/10.0.1.3/src/lib/ombase/os/os_fopen.c:71[1,2]


WARNING Service Router(Service Router) 04.19.06 08:05:14
[OM 5150] WARNING - Error encountered processing rule file:
/var/opt/scalix/rules/ALL-ROUTES.VIR
File Name: /var/opt/scalix/rules/ndninfo.txt


WARNING Service Router(Service Router) 04.19.06 08:05:14
[OM 5152] Error on line 1: Error in NDN-INFO specification
File Name: /var/opt/scalix/rules/ndninfo.txt

srv1:/var/opt/scalix/rules #

----------------------------------------------------------------

I am not sure what that means, but it's referencing the "ndninfo.txt" file, so I figured you'd want that as well....

These are the contents of the "ndninfo.txt" file:


----------------------------------------------------------------

A virus was found in your message. The virus could not be cleaned and thus the message was not
sent to the recipient. We highly recommend that you install or update your virus protection
software and scan your computer for viruses. If another message is received with a virus, that
may force us to blacklist your email address and/or domain. Please contact admin@nscmtrading.com
for more information.

----------------------------------------------------------------

Please let me know if I need to adjust something in this as well.

Thanks

Posted: Wed Apr 19, 2006 12:29 pm
by ScalixSupport
Please can you post the raw information without interpretation as it makes it easier to debug

I need to see:

1) The output of ls -l /var/opt/scalix/rules
2) The output of cat -vet /var/opt/scalix/rules/ALL-ROUTES.VIR

Cheers

Dave

Posted: Fri Apr 21, 2006 9:16 am
by DuckSmak
Here is the information you requested:

srv1:/var/opt/scalix/rules # ls -l /var/opt/scalix/rules
total 57
drwxrwx--- 2 scalix scalix 248 Apr 19 12:19 .
drwxrwxr-x 50 scalix scalix 1288 Apr 6 10:44 ..
-rw-rw-rw- 1 root root 77 Apr 19 12:16 ALL-ROUTES.VIR
-rw-rw-rw- 1 root root 325 Apr 7 12:22 ALL-ROUTES.VIR~
-rw-r--r-- 1 root root 325 Apr 7 12:22 all-routes COPY.vir
-rw-r--r-- 1 root root 408 Apr 7 12:24 ndninfo.txt
-rw-r--r-- 1 root root 2 Apr 7 12:23 ndninfo.txt~
-r-xr-xr-x 1 root root 35644 Mar 27 12:17 omvscan.map


srv1:/var/opt/scalix/rules # cat -vet /var/opt/scalix/rules/ALL-ROUTES.VIR
VIRUS-UNCLEANED=1 ACTION=DISCARD$


Thanks!
All times are UTC-04:00
Page 1 of 2
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/