ClavAV Problem

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
Jason Weir
Normal user
Normal user
Posts: 58
Joined: 2004-02-02 23:41
Location: Chichester, NH
Contact:

ClavAV Problem

Post by Jason Weir » 2004-06-30 04:14

Anxious to get mail virus scanning, I upgraded hMailserver from 2.0.5 to 3.2 Beta build 25. Using the built in MySQL. I then installed ClamWin. Configuring hMailserver was a snap, the autodetect worked great. Now I'm testing it. During testing I found my Symantec product was deleting the file as soon as it made it to the data directory. I excluded both the data and temp directories. Now the problem is, ClamAV lets the virus through. If I use ClamWin to manually scan the file (Eicar) a virus is detected. But when I attach the file and mail it. It is delivered fine. I enabled debug logging, but didn't notice any mention of virus scanning when the message was either accepted for delivery or when it was actually delivered. Anybody have any ideas where I should look now.

Thanks,
Jason Weir

polarunion
Normal user
Normal user
Posts: 245
Joined: 2004-04-05 20:21
Location: Ottawa, Canada
Contact:

Post by polarunion » 2004-06-30 05:02

yep, this is what we've been discussing here ....


http://www.hmailserver.com/forum/viewtopic.php?t=435

User avatar
Jason Weir
Normal user
Normal user
Posts: 58
Joined: 2004-02-02 23:41
Location: Chichester, NH
Contact:

Post by Jason Weir » 2004-06-30 05:06

Well not really, all of that thread deals with ClamAV not scanning archives. I'm not zipping the file. I'm attaching it as a text file.

Thanks
Jason

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-06-30 12:36

I just tested this in build 25 and it worked fine for me. When you say "I'm attaching it as a text file.", I guess you mean that you downloaded the eicar.com.txt file from eicar.org and attached this to the email.

1) Could you try to attach the eicar.com file to an email and send it (instead of eicar.com.txt)?
2) What version of ClamWin are you using?
3) Are you running the hMailServer service under the local system account?
4) If you enable Norton Antivirus scanning in the Temp directory, is the file seen by Norton then? (hMailServer extracts all attachments to the Temp directory and asks ClamScan to scan them there), so testing this will show wether hMailServer tries to scan the files at all.

I may have found the error but I'm not sure yet.

User avatar
Jason Weir
Normal user
Normal user
Posts: 58
Joined: 2004-02-02 23:41
Location: Chichester, NH
Contact:

Post by Jason Weir » 2004-06-30 19:07

1) I tried emailing both eicar.com and eicar.com.txt and they both were delivered fine. Both Symantec and ClamWin detected them fine if I do a manual scan.
2) 0.35
3) Yup - local system account
4) Yes, if I let Norton scan the temp dir, it detects a virus and deletes the file when the message is sent.

I also tried both options in hMailserver first just to delete the attachment and then to delete the message, both acted the same, the virus was delivered.

Thanks Martin,
Jason

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-07-01 13:02

New version up (Build 26).

This version includes some more logging. After installing it, you should see some lines that looks like this (turn on debug and application logging):
(search for virus in the log)

Code: Select all

"APPLICATION"	2648	"2004-07-01 12:56:44.989"	"SMTPDeliverer - Message 3716: Delivering message from test@test.com to test@test.com."

Code: Select all

"DEBUG"	2648	"2004-07-01 12:56:45.050"	"VirusScanner::Scan()"
"DEBUG"	2648	"2004-07-01 12:56:45.050"	"ClamWinVirusScanner::Scan()"
"DEBUG"	2648	"2004-07-01 12:56:45.831"	"ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe --database='C:\Documents and Settings\All Users\.clamwin\db' --include='{5CC4EDFE-092A-4EB6-9066-314F921FC90C}.hma' - Returned 0"
"DEBUG"	2648	"2004-07-01 12:56:45.841"	"ClamWinVirusScanner::~Scan()"
"DEBUG"	2648	"2004-07-01 12:56:45.861"	"VirusScanner::~Scan() - E4"
The interessting line is this:

Code: Select all

ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe --database='C:\Documents and Settings\All Users\.clamwin\db' --include='{5CC4EDFE-092A-4EB6-9066-314F921FC90C}.hma' - Returned 0
It tells you exactly what hMailServer has executed and what ClamScan returned (it should return 1 for viruses and 0 for non-infected files)

User avatar
Jason Weir
Normal user
Normal user
Posts: 58
Joined: 2004-02-02 23:41
Location: Chichester, NH
Contact:

Post by Jason Weir » 2004-07-01 15:29

Ahhh, you have to love logging. I think I see a problem.

"DEBUG" 2908 "2004-07-01 08:35:24.296" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe --database='C:\Documents and Settings\All Users\.clamwin\db' --include='{744D7CAF-9003-42EF-AAB9-6F75F1B86B90}.hma' - Returned 50"

from clamav.net a return 50 means "50: Database initialization error."

again, If I scan manually from ClamWin it detects the virus just fine.

any ideas?

Thanks
Jason

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-07-01 15:59

Strange... This means that ClamScan can't find the database or that it has an invalid format. Can you doublecheck that the path C:\Documents and Settings\All Users\.clamwin\db really points at the clamscan dtabase on your computer?

Compare it to the virus database folder in ClamWin's configuration. Also check the permissions in the folder so that it's accesible by everyone.

Perhaps you could try to copy the database to another location and change the path in hMailAdmin?

User avatar
Bram
Senior user
Senior user
Posts: 417
Joined: 2004-05-24 22:57
Location: The Netherlands
Contact:

same problem here

Post by Bram » 2004-07-02 11:22

enabled AV. Standard settings (autodetect) all files exist.

Send a mail with word document

I got also error 50 (strange service is running under local admin)

Moved clamav databse to c:\program files\clamwin\db. And changed the pad in hmailserver to it.
(Also changed pad in clamwin application so the automatic update also updates in this location)

Send a mail with word document

Returned 0 (which was OK)

Downloaded eicar.zip

Send a mail with eicar.zip

Returned 0 :(

unpacked the zip

Send a mail with eicar.com

Returned 1 :P

hmailserver removed attachment and edited the body.

Next question : Is it possible to change the message you add when a virus is found?

---- Using -----
clamwin 0.35
Windows server 2003
hm 3.2 build 26
MSSQL

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-07-02 12:15

Conclusion:
When running hMailServer as a service in Windows 2003, it's not allowed to read from the C:\Documents And Settings\All Users\.clamwin\db folder. So if you want to use ClamWin on Win2003, you must copy the files to another directory and read it from there.
The reason it works with ClamWin is that ClamWin isn't running as a service.

User avatar
Jason Weir
Normal user
Normal user
Posts: 58
Joined: 2004-02-02 23:41
Location: Chichester, NH
Contact:

Post by Jason Weir » 2004-07-02 14:49

I'm not quite sure we have the problem fixed.

I moved the database to 'c:\Program Files\ClamWin\db' and changed the path in hMailserver

I still get a 50 return code

"ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe --database='c:\Program Files\ClamWin\db' --include='{461F74D2-1D64-4DC6-9452-CD4A0C1AC54F}.hma' - Returned 50"


But if I run clamscan from the command line like this it works fine.

C:\Program Files\ClamWin\bin\clamscan.exe" --database='c:\Program Files
\ClamWin\db' --include='eicar.com' --tempdir='c:\temp'
/cygdrive/c/temp/eicar.com: Eicar-Test-Signature FOUND


I also tried enabling "interact with desktop" and running the service under the administrator account, both had the same results - return 50.

I deleted and updated my database - still same thing!

The only difference I noticed is when I run clamscan via the command line, I have to specify a --tempdir or it pukes. Are you specifing this when you scan from hmailserver?

Jason

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-07-02 15:06

What OS are you using?

User avatar
Jason Weir
Normal user
Normal user
Posts: 58
Joined: 2004-02-02 23:41
Location: Chichester, NH
Contact:

Post by Jason Weir » 2004-07-02 15:09

I've tried it on 2 machines first was win2k server and the other is win2k pro.

same results on both.

Jason

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-07-02 15:52

If you open a command prompt, go to the data directory and execute the exact same command line as hmailserver, what does ClamAv say?

User avatar
Jason Weir
Normal user
Normal user
Posts: 58
Joined: 2004-02-02 23:41
Location: Chichester, NH
Contact:

Post by Jason Weir » 2004-07-02 17:06

when I ran the command at the command prompt it gave me an "can't create temp directory" error

so I uninstalled clamwin and reinstalled it, moved the paths out of the "all users" directory and now it's working fine.

Sorry for taking everyone on a wild goose chase. :)

Thanks for the help..

Jason

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2004-07-02 18:22

It's strange that it works just fine on my computer, even though I have the files in the all users directory... :\

BigJim
New user
New user
Posts: 2
Joined: 2004-03-22 15:55

I think I found the true reason

Post by BigJim » 2004-07-07 11:10

I have upgraded my server to 3.2 Build 28, and encountered the same problem.
Perhaps it is caused by the reason 'Unable to create temporary directory', see this link also: http://sourceforge.net/docman/display_d ... _id=105508

I have changed the registry
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/tmp\native
to value "C:\Windows\Temp"

so all is fine now :)
The original value is "C:\Documents and Settings\Administrator\Local Settings\Temp\1" for me, when logout from termservice, it doesn't exist!

I think hmailserver could specify a --tempdir to solve this problem.

I'm sorry my English is so bad.

large
Normal user
Normal user
Posts: 33
Joined: 2004-12-31 12:47
Contact:

Post by large » 2004-12-31 12:56

martin wrote:It's strange that it works just fine on my computer, even though I have the files in the all users directory... :\
To shade some light on the problem, I can tell my story ;)

When you install the hMailserver it will run as SYSTEM (a "user"), this is a background service. When a service run a program the execution will get the same rights as the program started it. When a path have the rights to "Everybody" it does not include services. So by adding the SYSTEM user spesific into the path it might work (haven't tested) but I followed BigJim's solution and made the temp katalog available.
Then I tested with just the Everybody group; did not work
Added the SYSTEM user to the tmp-file; worked like a charm :)

I'm not a windows rights xpert, but it seems like the consept of "Everybody" group fools alittle.
Lars Werner
http://lars.werner.no
Check out my tools:
http://lars.werner.no/unpacker/ - 100% automated extraction tool
http://lars.werner.no/sizeme/ - Maximize the output on a given media (like CD/DVD ect)

Daikoku
Normal user
Normal user
Posts: 65
Joined: 2005-03-13 22:12

Post by Daikoku » 2005-03-14 00:55

I also get the returned 50 problem, tried moving the db to another location as well.

Code: Select all

"DEBUG"	3448	"2005-03-13 16:45:29.937"	"ClamWinVirusScanner::Scan()"
"DEBUG"	3448	"2005-03-13 16:45:30.015"	"ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe --database='C:\Program Files\ClamWin\db' --include='{7D2D3E17-81DB-4053-A550-0366C8396F6B}.eml' - Returned 50"
"DEBUG"	3448	"2005-03-13 16:45:30.015"	"ClamWinVirusScanner::~Scan()"
Scanning with the command line works just fine. No Temp folder error or anything. I'm running w2k3 and v4b89

User avatar
Bram
Senior user
Senior user
Posts: 417
Joined: 2004-05-24 22:57
Location: The Netherlands
Contact:

Post by Bram » 2005-03-14 08:06

I had this problem serveral times under clamwin and windows2003. Since i changed to the sosdg-version of clam i got no more problems and sosdg also checkes inside archived (not all) attachments.

search the forum for more information.
hmailserver 4.3 (242 Live)
hmailserver 5.0 (605 Test)
Windows 2003
MSSQL
ASSP 1.3.2
ClamAV (SOSDG)
http://www.realdesign.nl

Daikoku
Normal user
Normal user
Posts: 65
Joined: 2005-03-13 22:12

Post by Daikoku » 2005-03-14 16:16

For some reason it started to work after I removed ASSP. Not sure what that could have to do with ClamWin but maybe it helps somebody ;)

jackaljackal
New user
New user
Posts: 3
Joined: 2005-03-17 21:26

How I got AV working on my 2003 Server box

Post by jackaljackal » 2005-03-17 21:55

I installed version 0.83-7c of the SOSDG port of ClamAV for Windows using all of the defaults except that I didn't install the virus test files:

http://www.sosdg.org/clamav-win32/index.php

On the hMailServer AntiVirus pane's ClamWin tab:

[x] Use ClamWin
ClamScan executable
C:\clamav-devel\bin\clamdscan.exe
Path to ClamScan database
C:\clamav-devel\share\clamav\

This uses the clamdscan.exe executable which requires having the clamd Daemon running, so I added a shortcut to the Windows "Startup" group to kick off the C:\clamav-devel\start-clamd.bat batch file to load the Daemon.

Then, I set up a couple of tasks in the Windows task scheduler to run the C:\clamav-devel\bin\freshclam.exe update program at a couple of different times during the day.

At least for my particular installation, changing over to use the clamdscan Daemon-specific version got it all working happily on this particular 2003 Server.

project2003
New user
New user
Posts: 1
Joined: 2005-03-30 00:14

Post by project2003 » 2005-04-05 01:08

After downloading and installing ClamWin from (http://www.clamwin.com/) I had to use the following lines to reslove the "Returned 50" in the Debug logs.

In HMailServer Administrators Expand Settings - SMTP - Antivirus. Select the ClamWin tab and enter the following lines.

Clamscan Executable = "C:\Program Files\ClamWin\bin\clamscan.exe" "--tempdir=c:\temp"

Path to ClamWin DB = C:\Documents and Settings\All Users\.clamwin\db

alk
Normal user
Normal user
Posts: 40
Joined: 2005-02-22 18:23
Contact:

Post by alk » 2005-04-07 08:23

Clamscan Executable = "C:\Program Files\ClamWin\bin\clamscan.exe" "--tempdir=c:\temp"
I implemented this to my hmailserver 4.0d97 and only after it started to find viruses in mail over ClamWin. I used tempdir=c:\windows\temp. I sent two messages with eicar.zip, both was detected, hmail sent mail with notification but didn't delete messages as I set in hmail admin antivirus configuration. I noticed two clamscan processes in memory hanging and eating up to 50% of CPU resources each. Two non-removable subdirectories appeared in windows\temp, each of them is owned by System - so the only way to remove them even after reboot is to change the owner to administrator. Directories had names associated with clamscan and hmail message numbers and were empty.
Besides two lines in hmail admin Live/Undelivered Messages appeared and it's unclear what should be done with them at this point. hmailadmin doesn't offer to delete them, just shows contents. One should be mentioned that I use ASSP as smtp proxy (assp native virus detection disabled) and Windows XP SP2. What's wrong with clamwin and hmailserver?

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-04-12 12:22

alk:
Please discuss beta versions in the beta discussions section of this forum.

Second, have you tried the latest 4.0 build? If you're using an alpha version, you should at least upgrade to the lastest before reporting any problems with it.

Post Reply