having a bit of trouble getting clamav (nico's version) to work with hMailServer on Windows Server 2008 R2.
Using eicar test virus it says the test email is ok. If I run clamdscan against the virus directly it picks it up.
I'm using the external virus tab with the scanner executable setting:
"c:\clamav\clamdscan.exe" "%FILE%"

My clamd logs show it passing.
Fri Oct 22 19:59:41 2010 -> Received POLLIN|POLLHUP on fd 1192
Fri Oct 22 19:59:41 2010 -> Got new connection, FD 1476
Fri Oct 22 19:59:41 2010 -> fds_poll_recv: timeout after 5 seconds
Fri Oct 22 19:59:41 2010 -> Received POLLIN|POLLHUP on fd 1476
Fri Oct 22 19:59:41 2010 -> got command CONTSCAN \\?\C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml (96, 7), argument: \\?\C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml
Fri Oct 22 19:59:41 2010 -> mode -> MODE_WAITREPLY
Fri Oct 22 19:59:41 2010 -> Breaking command loop, mode is no longer MODE_COMMAND
Fri Oct 22 19:59:41 2010 -> Consumed entire command
Fri Oct 22 19:59:41 2010 -> Number of file descriptors polled: 0 fds
Fri Oct 22 19:59:41 2010 -> fds_poll_recv: timeout after 600 seconds
Fri Oct 22 19:59:41 2010 -> THRMGR: queue (single) crossed low threshold -> signaling
Fri Oct 22 19:59:41 2010 -> THRMGR: queue (bulk) crossed low threshold -> signaling
Fri Oct 22 19:59:41 2010 -> C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml: OK
Fri Oct 22 19:59:41 2010 -> Finished scanthread
Fri Oct 22 19:59:41 2010 -> Scanthread: connection shut down (FD 1476)
Fri Oct 22 19:59:41 2010 -> THRMGR: queue (single) crossed low threshold -> signaling
Fri Oct 22 19:59:41 2010 -> THRMGR: queue (bulk) crossed low threshold -> signaling

My hMailServer logs show it it not getting picked up either.

"DEBUG" 1772 "2010-10-22 19:59:41.618" "Creating session 2"
"DEBUG" 3804 "2010-10-22 19:59:41.650" "Total spam score: 0"
"DEBUG" 3328 "2010-10-22 19:59:41.712" "Total spam score: 0"
"DEBUG" 3328 "2010-10-22 19:59:41.712" "Saving message: C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml"
"DEBUG" 3328 "2010-10-22 19:59:41.712" "Requesting SMTPDeliveryManager to start message delivery"
"DEBUG" 3152 "2010-10-22 19:59:41.712" "Delivering message..."
"APPLICATION" 3152 "2010-10-22 19:59:41.712" "SMTPDeliverer - Message 105: Delivering message from eicar@aleph-tec.com to pat@patmac.gotdns.com. File: C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml"
"DEBUG" 3152 "2010-10-22 19:59:41.712" "CustomVirusScanner::Scan()"
"DEBUG" 2616 "2010-10-22 19:59:41.728" "Closing TCP/IP socket"
"DEBUG" 2616 "2010-10-22 19:59:41.728" "Ending session 2"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "CustomVirusScanner::Scan() - "c:\clamav\clamdscan.exe" "C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml" - Returned 0"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "CustomVirusScanner::~Scan()"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "Applying rules"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "Performing local delivery"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "Applying rules"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "Saving message: C:\Program Files (x86)\hMailServer\Data\patmac.gotdns.com\pat\AF\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "AWStats::LogDeliverySuccess"
"DEBUG" 3152 "2010-10-22 19:59:41.790" "Local delivery completed"
"APPLICATION" 3152 "2010-10-22 19:59:41.790" "SMTPDeliverer - Message 105: Message delivery thread completed."
"DEBUG" 2820 "2010-10-22 20:00:40.946" "Creating session 3"
"DEBUG" 1112 "2010-10-22 20:00:40.962" "Reading message from database"
"DEBUG" 1112 "2010-10-22 20:00:41.196" "Closing TCP/IP socket"
"DEBUG" 1112 "2010-10-22 20:00:41.196" "Ending session 3"
"DEBUG" 2820 "2010-10-22 20:02:46.196" "Creating session 4"
"DEBUG" 1032 "2010-10-22 20:02:46.431" "Closing TCP/IP socket"

Anyone have any suggestions?
- thanks for aany help.
-pat

Hey pat,
Logs show it returned 0. I assume that was a test virus. What does it show for return on clean file? Possible you need to adjust return codes in hmail? Shouldn't the clam log show it found a virus? Soz I've not looked so not sure what they look like honestly.

btw 5.4 which should be out any day has native clamd client built in (still needs clamd server to connect to) which so far seems to work well so hopefully assuming the alpha is stable should help ease a lot of AV pains. It is certainly easier to setup in hmail for sure.
Bill

Thanks for the quick response. A clean file also posts a 0 return code. So it seems that the viruses are not being detected when I go through hMS. They are being detected if I run clamdscan manually with the eicar test file.

All I can think of is somehow the command that is coming through to clamdscan from hmailserver is some how broken... but I can't see how unless it's the pathname where hMS has the .eml file.

Is clamAv working properly?

Have you enabled logging in it to see what is going on?
Is the clamD service running?

yes... my logs from clamd and hMS are the first part of my post

The ClamD log looks fine. Assuming that you didn't configure hMS to delete .com attachments, what EICAR variant were you using (plain, zipped, disguised)? Are you using any third party signatures (sanesecurity.ftm in particular)?

Best regards,

Nico

You know.... I did some further testing and when I try to SEND a virus email it is picked up by clamd. It's only when I receive (send myself something from eicar) that its not picked up. Looking at the emails received (the .eml files that are in the temporary directory) I don't see any of the viruses.

Somehow that leads me to believe clamd is working just fine as is hMS. Could it be possible that the viruses are being stripped on the way to my server? So that the emails are clean when they reach clamd?

-pat

Easy to check: If the EICAR attachment is still there when you look at the mail in your mail client then it wasn't stripped

Best regards,

Nico

Thanks. It seems it's just the test emails from Eicar that come through ok.

I've sent myself an 'infected' email from another website which got detected by clamd.

So it seems to be working. Not sure why the Eicar test emails don't come through. I checked further and the attachments are coming thru but not detected as containing a virus.

If anyone can shed light on this I'd be more than interested.

Thanks, Pat

Well, I'd really like to but then you should answer my questions first:


If you had let some page sent the EICAR file to you, please also tell me which one.

Best regards,

Nico

no third party signatures.

Here are the variants I was sending
1.Sending clean... 1 OK!
2.Sending eicar.com... 1 OK!
3.Sending eicar.com.txt... 1 OK!
4.Sending eicar_com.zip... 1 OK!
5.Sending eicarcom2.zip... 1 OK!
6.Sending eicarpasswd.zip... 1 OK!
7.Sending eicarpasswdocr.zip... 1 OK!

To send the virus that was detected I logged into another webmail account I have, copied the eicar virus text into the body of the email and sent it.

Thanks, pat

As you didn't mention what page had sent you the testfiles I can only guess that it was aleph-tec. If it was, please try another page like http://www.gfi.com/emailsecuritytest/ because aleph-tec is quite unreliable, at least over here.

Also, to have types 6. and 7. detected you would need to enable the detection of password protected archives in clamd.conf (not recommended because then every password protected archive will be flagged as infected).

Best regards,

Nico

Thanks. I had sent those from alpha-tec. Guess they are unreliable over here in the us too.

I tried the link from gfi.com and clamd picked up allthe viruses without any problems. Looks like everything is working just fine.

Great product and thanks for the help!

-pat