Post new topic Reply to topic  [ 13 posts ] 
Author Message
 Post subject: hMailServer, clamav on Windows Server 2008 R2
PostPosted: 2010-10-23 02:11 
New user
New user

Joined: 2010-10-20 01:39
Posts: 7
having a bit of trouble getting clamav (nico's version) to work with hMailServer on Windows Server 2008 R2.
Using eicar test virus it says the test email is ok. If I run clamdscan against the virus directly it picks it up.
I'm using the external virus tab with the scanner executable setting:
"c:\clamav\clamdscan.exe" "%FILE%"

My clamd logs show it passing.
Fri Oct 22 19:59:41 2010 -> Received POLLIN|POLLHUP on fd 1192
Fri Oct 22 19:59:41 2010 -> Got new connection, FD 1476
Fri Oct 22 19:59:41 2010 -> fds_poll_recv: timeout after 5 seconds
Fri Oct 22 19:59:41 2010 -> Received POLLIN|POLLHUP on fd 1476
Fri Oct 22 19:59:41 2010 -> got command CONTSCAN \\?\C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml (96, 7), argument: \\?\C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml
Fri Oct 22 19:59:41 2010 -> mode -> MODE_WAITREPLY
Fri Oct 22 19:59:41 2010 -> Breaking command loop, mode is no longer MODE_COMMAND
Fri Oct 22 19:59:41 2010 -> Consumed entire command
Fri Oct 22 19:59:41 2010 -> Number of file descriptors polled: 0 fds
Fri Oct 22 19:59:41 2010 -> fds_poll_recv: timeout after 600 seconds
Fri Oct 22 19:59:41 2010 -> THRMGR: queue (single) crossed low threshold -> signaling
Fri Oct 22 19:59:41 2010 -> THRMGR: queue (bulk) crossed low threshold -> signaling
Fri Oct 22 19:59:41 2010 -> C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml: OK
Fri Oct 22 19:59:41 2010 -> Finished scanthread
Fri Oct 22 19:59:41 2010 -> Scanthread: connection shut down (FD 1476)
Fri Oct 22 19:59:41 2010 -> THRMGR: queue (single) crossed low threshold -> signaling
Fri Oct 22 19:59:41 2010 -> THRMGR: queue (bulk) crossed low threshold -> signaling

My hMailServer logs show it it not getting picked up either.

"DEBUG" 1772 "2010-10-22 19:59:41.618" "Creating session 2"
"DEBUG" 3804 "2010-10-22 19:59:41.650" "Total spam score: 0"
"DEBUG" 3328 "2010-10-22 19:59:41.712" "Total spam score: 0"
"DEBUG" 3328 "2010-10-22 19:59:41.712" "Saving message: C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml"
"DEBUG" 3328 "2010-10-22 19:59:41.712" "Requesting SMTPDeliveryManager to start message delivery"
"DEBUG" 3152 "2010-10-22 19:59:41.712" "Delivering message..."
"APPLICATION" 3152 "2010-10-22 19:59:41.712" "SMTPDeliverer - Message 105: Delivering message from [email protected] to [email protected]. File: C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml"
"DEBUG" 3152 "2010-10-22 19:59:41.712" "CustomVirusScanner::Scan()"
"DEBUG" 2616 "2010-10-22 19:59:41.728" "Closing TCP/IP socket"
"DEBUG" 2616 "2010-10-22 19:59:41.728" "Ending session 2"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "CustomVirusScanner::Scan() - "c:\clamav\clamdscan.exe" "C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml" - Returned 0"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "CustomVirusScanner::~Scan()"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "Applying rules"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "Performing local delivery"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "Applying rules"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "Saving message: C:\Program Files (x86)\hMailServer\Data\patmac.gotdns.com\pat\AF\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "AWStats::LogDeliverySuccess"
"DEBUG" 3152 "2010-10-22 19:59:41.790" "Local delivery completed"
"APPLICATION" 3152 "2010-10-22 19:59:41.790" "SMTPDeliverer - Message 105: Message delivery thread completed."
"DEBUG" 2820 "2010-10-22 20:00:40.946" "Creating session 3"
"DEBUG" 1112 "2010-10-22 20:00:40.962" "Reading message from database"
"DEBUG" 1112 "2010-10-22 20:00:41.196" "Closing TCP/IP socket"
"DEBUG" 1112 "2010-10-22 20:00:41.196" "Ending session 3"
"DEBUG" 2820 "2010-10-22 20:02:46.196" "Creating session 4"
"DEBUG" 1032 "2010-10-22 20:02:46.431" "Closing TCP/IP socket"

Anyone have any suggestions?
- thanks for aany help.
-pat


Top
 Profile  
 
 Post subject: Re: hMailServer, clamav on Windows Server 2008 R2
PostPosted: 2010-10-23 03:30 
Developer
Developer

Joined: 2010-04-24 23:16
Posts: 6165
Location: Michigan, USA
Hey pat,
Logs show it returned 0. I assume that was a test virus. What does it show for return on clean file? Possible you need to adjust return codes in hmail? Shouldn't the clam log show it found a virus? Soz I've not looked so not sure what they look like honestly.

btw 5.4 which should be out any day has native clamd client built in (still needs clamd server to connect to) which so far seems to work well so hopefully assuming the alpha is stable should help ease a lot of AV pains. It is certainly easier to setup in hmail for sure.
Bill

_________________
hMailServer build LIVE on my servers: 5.4-B2014050402
Latest test builds: http://www.hmailserver.com/forum/viewtopic.php?f=10&t=21420
Urgent? Bored? JOIN US ON IRC!
DOGE ME: DSqtEcqP3Qv6Tj2XrGNpDmEUkSBcpBsuWk


Top
 Profile  
 
 Post subject: Re: hMailServer, clamav on Windows Server 2008 R2
PostPosted: 2010-10-23 03:58 
New user
New user

Joined: 2010-10-20 01:39
Posts: 7
Thanks for the quick response. A clean file also posts a 0 return code. So it seems that the viruses are not being detected when I go through hMS. They are being detected if I run clamdscan manually with the eicar test file.

All I can think of is somehow the command that is coming through to clamdscan from hmailserver is some how broken... but I can't see how unless it's the pathname where hMS has the .eml file.


Top
 Profile  
 
 Post subject: Re: hMailServer, clamav on Windows Server 2008 R2
PostPosted: 2010-10-23 04:27 
Moderator
User avatar

Joined: 2007-06-14 05:12
Posts: 11916
Location: 'The Outback' Australia
Is clamAv working properly?

Have you enabled logging in it to see what is going on?
Is the clamD service running?

_________________
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
Documentation


Top
 Profile  
 
 Post subject: Re: hMailServer, clamav on Windows Server 2008 R2
PostPosted: 2010-10-23 13:58 
New user
New user

Joined: 2010-10-20 01:39
Posts: 7
yes... my logs from clamd and hMS are the first part of my post


Top
 Profile  
 
 Post subject: Re: hMailServer, clamav on Windows Server 2008 R2
PostPosted: 2010-10-23 15:00 
Senior user
Senior user
User avatar

Joined: 2009-04-17 18:10
Posts: 268
Location: The land of Beer and Sauerkraut!
The ClamD log looks fine. Assuming that you didn't configure hMS to delete .com attachments, what EICAR variant were you using (plain, zipped, disguised)? Are you using any third party signatures (sanesecurity.ftm in particular)?

Best regards,

Nico


Top
 Profile  
 
 Post subject: Re: hMailServer, clamav on Windows Server 2008 R2
PostPosted: 2010-10-23 15:52 
New user
New user

Joined: 2010-10-20 01:39
Posts: 7
You know.... I did some further testing and when I try to SEND a virus email it is picked up by clamd. It's only when I receive (send myself something from eicar) that its not picked up. Looking at the emails received (the .eml files that are in the temporary directory) I don't see any of the viruses.

Somehow that leads me to believe clamd is working just fine as is hMS. Could it be possible that the viruses are being stripped on the way to my server? So that the emails are clean when they reach clamd?

-pat


Top
 Profile  
 
 Post subject: Re: hMailServer, clamav on Windows Server 2008 R2
PostPosted: 2010-10-23 19:50 
Senior user
Senior user
User avatar

Joined: 2009-04-17 18:10
Posts: 268
Location: The land of Beer and Sauerkraut!
windchaserb wrote:
Somehow that leads me to believe clamd is working just fine as is hMS. Could it be possible that the viruses are being stripped on the way to my server? So that the emails are clean when they reach clamd?

-pat

Easy to check: If the EICAR attachment is still there when you look at the mail in your mail client then it wasn't stripped :)

Best regards,

Nico


Top
 Profile  
 
 Post subject: Re: hMailServer, clamav on Windows Server 2008 R2
PostPosted: 2010-10-23 22:14 
New user
New user

Joined: 2010-10-20 01:39
Posts: 7
Thanks. It seems it's just the test emails from Eicar that come through ok.

I've sent myself an 'infected' email from another website which got detected by clamd.

So it seems to be working. Not sure why the Eicar test emails don't come through. I checked further and the attachments are coming thru but not detected as containing a virus.

If anyone can shed light on this I'd be more than interested.

Thanks, Pat


Top
 Profile  
 
 Post subject: Re: hMailServer, clamav on Windows Server 2008 R2
PostPosted: 2010-10-23 22:26 
Senior user
Senior user
User avatar

Joined: 2009-04-17 18:10
Posts: 268
Location: The land of Beer and Sauerkraut!
windchaserb wrote:
If anyone can shed light on this I'd be more than interested.

Well, I'd really like to but then you should answer my questions first:

tBB wrote:
what EICAR variant were you using (plain, zipped, disguised)? Are you using any third party signatures (sanesecurity.ftm in particular)?

If you had let some page sent the EICAR file to you, please also tell me which one.

Best regards,

Nico


Top
 Profile  
 
 Post subject: Re: hMailServer, clamav on Windows Server 2008 R2
PostPosted: 2010-10-23 23:05 
New user
New user

Joined: 2010-10-20 01:39
Posts: 7
no third party signatures.

Here are the variants I was sending
1.Sending clean... 1 OK!
2.Sending eicar.com... 1 OK!
3.Sending eicar.com.txt... 1 OK!
4.Sending eicar_com.zip... 1 OK!
5.Sending eicarcom2.zip... 1 OK!
6.Sending eicarpasswd.zip... 1 OK!
7.Sending eicarpasswdocr.zip... 1 OK!

To send the virus that was detected I logged into another webmail account I have, copied the eicar virus text into the body of the email and sent it.

Thanks, pat


Top
 Profile  
 
 Post subject: Re: hMailServer, clamav on Windows Server 2008 R2
PostPosted: 2010-10-24 10:58 
Senior user
Senior user
User avatar

Joined: 2009-04-17 18:10
Posts: 268
Location: The land of Beer and Sauerkraut!
windchaserb wrote:
Here are the variants I was sending
1.Sending clean... 1 OK!
2.Sending eicar.com... 1 OK!
3.Sending eicar.com.txt... 1 OK!
4.Sending eicar_com.zip... 1 OK!
5.Sending eicarcom2.zip... 1 OK!
6.Sending eicarpasswd.zip... 1 OK!
7.Sending eicarpasswdocr.zip... 1 OK!

To send the virus that was detected I logged into another webmail account I have, copied the eicar virus text into the body of the email and sent it.

As you didn't mention what page had sent you the testfiles I can only guess that it was aleph-tec. If it was, please try another page like http://www.gfi.com/emailsecuritytest/ because aleph-tec is quite unreliable, at least over here.

Also, to have types 6. and 7. detected you would need to enable the detection of password protected archives in clamd.conf (not recommended because then every password protected archive will be flagged as infected).

Best regards,

Nico


Top
 Profile  
 
 Post subject: Re: hMailServer, clamav on Windows Server 2008 R2
PostPosted: 2010-10-24 15:29 
New user
New user

Joined: 2010-10-20 01:39
Posts: 7
Thanks. I had sent those from alpha-tec. Guess they are unreliable over here in the us too.

I tried the link from gfi.com and clamd picked up allthe viruses without any problems. Looks like everything is working just fine.

Great product and thanks for the help!

-pat


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 


Who is online

Users browsing this forum: No registered users and 2 guests



Search for:
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group