Topic: Standard Clamav and mail antivirus

[miroj]

I do have a question on the behavior of the mail antivirus solution in SME 9.x.

My SME 9.x is set with the following settings:

IMAP server access:    Allow private and public (secure IMAPS)

Virus scanning    Enabled
Spam filtering    Enabled
Executable content blocking    Enabled

E-mail retrieval mode    Standard (SMTP)
SMTP authentication    Allow SSMTP (secure)

The antivrus is scheduled on the daily base, and in the daily report I do get many lines with:

/Maildir/.junkmail/cur/1474358381.5337.leopard:2,: Js.Ransomware.Locky-30743 FOUND

Now, my understanding is that identified virus should be deleted/rejected on arrival, not to end up in the junk-mail folder. Since the virus was identified and deleted on the regular clamav daily scans, it means that the virus is known to clamav. The only logical explanation I have is that all communication between the mail servers is secure SMTP, which makes the content of the mail encrypted and unaccessible to clamav during the mail scan process. It is found and deleted later on, after delivery on the regular daily scans.

Is this the case, or I'm missing something in my understanding? How to delete/reject mails during mail delivery instead of scanning the server on daily base?

Miro

[brianr]

It is to do with the fact that Virus signatures are updated every 2 hours, but can steal in before they are known to Clamav.

[miroj]

It is to do with the fact that Virus signatures are updated every 2 hours, but can steal in before they are known to Clamav.

Hi Brian,

Thanks for the fast reply. Unfortunately I don't believe that is the case, since the same virus appears as deleted in the clamav report from the previous day as well. That indicates that the virus is known to clamav for at least a day or more, but still new mails which arrives and contains the same virus are not deleted/rejected. Must be something else.

[brianr]

Hi Brian,

Thanks for the fast reply. Unfortunately I don't believe that is the case, since the same virus appears as deleted in the clamav report from the previous day as well. That indicates that the virus is known to clamav for at least a day or more, but still new mails which arrives and contains the same virus are not deleted/rejected. Must be something else.

Ok, in that case this could be a bug (and maybe a quite important one), please could you open one in bugzilla here:

https://bugs.contribs.org/

I only run the scan once a week (as it takes too much time), so have not noticed such a thing.

[Jean-Philippe Pialasse]

There are a few alternatives:
- if imap is enabled it could have been copied from another acount outside of he server using any email client software
- as suggested by Brian could be recieved a few hours before the signature has been added to your local database.
- a tweak of the configuration makes qpstpd tag it as spam (quarantine) instead of deleting it

In any way could be worth investigating your logs and configurations.As you mentionned another email could have been recieved before htis one and tagged with this same signature, you should parse your qpsmtpd logs to find these two emails (using from, to, and at least recieved time headers and i believe you might also find the queue id number in the header)

As said please post this in bugzilla, and please prefer to post it as security and avoid obfucating the content of the log to ease to understand what happen. Security tag mean that only trusted member of the team will have access to the content.