hMailServer, clamav on Windows Server 2008 R2

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
windchaserb
New user
New user
Posts: 7
Joined: 2010-10-20 01:39

hMailServer, clamav on Windows Server 2008 R2

Postby windchaserb » 2010-10-23 02:11

having a bit of trouble getting clamav (nico's version) to work with hMailServer on Windows Server 2008 R2.
Using eicar test virus it says the test email is ok. If I run clamdscan against the virus directly it picks it up.
I'm using the external virus tab with the scanner executable setting:
"c:\clamav\clamdscan.exe" "%FILE%"

My clamd logs show it passing.
Fri Oct 22 19:59:41 2010 -> Received POLLIN|POLLHUP on fd 1192
Fri Oct 22 19:59:41 2010 -> Got new connection, FD 1476
Fri Oct 22 19:59:41 2010 -> fds_poll_recv: timeout after 5 seconds
Fri Oct 22 19:59:41 2010 -> Received POLLIN|POLLHUP on fd 1476
Fri Oct 22 19:59:41 2010 -> got command CONTSCAN \\?\C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml (96, 7), argument: \\?\C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml
Fri Oct 22 19:59:41 2010 -> mode -> MODE_WAITREPLY
Fri Oct 22 19:59:41 2010 -> Breaking command loop, mode is no longer MODE_COMMAND
Fri Oct 22 19:59:41 2010 -> Consumed entire command
Fri Oct 22 19:59:41 2010 -> Number of file descriptors polled: 0 fds
Fri Oct 22 19:59:41 2010 -> fds_poll_recv: timeout after 600 seconds
Fri Oct 22 19:59:41 2010 -> THRMGR: queue (single) crossed low threshold -> signaling
Fri Oct 22 19:59:41 2010 -> THRMGR: queue (bulk) crossed low threshold -> signaling
Fri Oct 22 19:59:41 2010 -> C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml: OK
Fri Oct 22 19:59:41 2010 -> Finished scanthread
Fri Oct 22 19:59:41 2010 -> Scanthread: connection shut down (FD 1476)
Fri Oct 22 19:59:41 2010 -> THRMGR: queue (single) crossed low threshold -> signaling
Fri Oct 22 19:59:41 2010 -> THRMGR: queue (bulk) crossed low threshold -> signaling

My hMailServer logs show it it not getting picked up either.

"DEBUG" 1772 "2010-10-22 19:59:41.618" "Creating session 2"
"DEBUG" 3804 "2010-10-22 19:59:41.650" "Total spam score: 0"
"DEBUG" 3328 "2010-10-22 19:59:41.712" "Total spam score: 0"
"DEBUG" 3328 "2010-10-22 19:59:41.712" "Saving message: C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml"
"DEBUG" 3328 "2010-10-22 19:59:41.712" "Requesting SMTPDeliveryManager to start message delivery"
"DEBUG" 3152 "2010-10-22 19:59:41.712" "Delivering message..."
"APPLICATION" 3152 "2010-10-22 19:59:41.712" "SMTPDeliverer - Message 105: Delivering message from eicar@aleph-tec.com to pat@patmac.gotdns.com. File: C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml"
"DEBUG" 3152 "2010-10-22 19:59:41.712" "CustomVirusScanner::Scan()"
"DEBUG" 2616 "2010-10-22 19:59:41.728" "Closing TCP/IP socket"
"DEBUG" 2616 "2010-10-22 19:59:41.728" "Ending session 2"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "CustomVirusScanner::Scan() - "c:\clamav\clamdscan.exe" "C:\Program Files (x86)\hMailServer\Data\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml" - Returned 0"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "CustomVirusScanner::~Scan()"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "Applying rules"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "Performing local delivery"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "Applying rules"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "Saving message: C:\Program Files (x86)\hMailServer\Data\patmac.gotdns.com\pat\AF\{AF5BDCE9-37A3-4811-AEA3-68F6A3789CEE}.eml"
"DEBUG" 3152 "2010-10-22 19:59:41.775" "AWStats::LogDeliverySuccess"
"DEBUG" 3152 "2010-10-22 19:59:41.790" "Local delivery completed"
"APPLICATION" 3152 "2010-10-22 19:59:41.790" "SMTPDeliverer - Message 105: Message delivery thread completed."
"DEBUG" 2820 "2010-10-22 20:00:40.946" "Creating session 3"
"DEBUG" 1112 "2010-10-22 20:00:40.962" "Reading message from database"
"DEBUG" 1112 "2010-10-22 20:00:41.196" "Closing TCP/IP socket"
"DEBUG" 1112 "2010-10-22 20:00:41.196" "Ending session 3"
"DEBUG" 2820 "2010-10-22 20:02:46.196" "Creating session 4"
"DEBUG" 1032 "2010-10-22 20:02:46.431" "Closing TCP/IP socket"

Anyone have any suggestions?
- thanks for aany help.
-pat

Bill48105
Developer
Developer
Posts: 6171
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: hMailServer, clamav on Windows Server 2008 R2

Postby Bill48105 » 2010-10-23 03:30

Hey pat,
Logs show it returned 0. I assume that was a test virus. What does it show for return on clean file? Possible you need to adjust return codes in hmail? Shouldn't the clam log show it found a virus? Soz I've not looked so not sure what they look like honestly.

btw 5.4 which should be out any day has native clamd client built in (still needs clamd server to connect to) which so far seems to work well so hopefully assuming the alpha is stable should help ease a lot of AV pains. It is certainly easier to setup in hmail for sure.
Bill
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***
hMailServer build LIVE on my servers: 5.4-B2014050402
Latest test builds: http://www.hmailserver.com/forum/viewtopic.php?f=10&t=21420

windchaserb
New user
New user
Posts: 7
Joined: 2010-10-20 01:39

Re: hMailServer, clamav on Windows Server 2008 R2

Postby windchaserb » 2010-10-23 03:58

Thanks for the quick response. A clean file also posts a 0 return code. So it seems that the viruses are not being detected when I go through hMS. They are being detected if I run clamdscan manually with the eicar test file.

All I can think of is somehow the command that is coming through to clamdscan from hmailserver is some how broken... but I can't see how unless it's the pathname where hMS has the .eml file.

User avatar
mattg
Moderator
Moderator
Posts: 13389
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMailServer, clamav on Windows Server 2008 R2

Postby mattg » 2010-10-23 04:27

Is clamAv working properly?

Have you enabled logging in it to see what is going on?
Is the clamD service running?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

windchaserb
New user
New user
Posts: 7
Joined: 2010-10-20 01:39

Re: hMailServer, clamav on Windows Server 2008 R2

Postby windchaserb » 2010-10-23 13:58

yes... my logs from clamd and hMS are the first part of my post

User avatar
tBB
Senior user
Senior user
Posts: 268
Joined: 2009-04-17 18:10
Location: The land of Beer and Sauerkraut!
Contact:

Re: hMailServer, clamav on Windows Server 2008 R2

Postby tBB » 2010-10-23 15:00

The ClamD log looks fine. Assuming that you didn't configure hMS to delete .com attachments, what EICAR variant were you using (plain, zipped, disguised)? Are you using any third party signatures (sanesecurity.ftm in particular)?

Best regards,

Nico

windchaserb
New user
New user
Posts: 7
Joined: 2010-10-20 01:39

Re: hMailServer, clamav on Windows Server 2008 R2

Postby windchaserb » 2010-10-23 15:52

You know.... I did some further testing and when I try to SEND a virus email it is picked up by clamd. It's only when I receive (send myself something from eicar) that its not picked up. Looking at the emails received (the .eml files that are in the temporary directory) I don't see any of the viruses.

Somehow that leads me to believe clamd is working just fine as is hMS. Could it be possible that the viruses are being stripped on the way to my server? So that the emails are clean when they reach clamd?

-pat

User avatar
tBB
Senior user
Senior user
Posts: 268
Joined: 2009-04-17 18:10
Location: The land of Beer and Sauerkraut!
Contact:

Re: hMailServer, clamav on Windows Server 2008 R2

Postby tBB » 2010-10-23 19:50

windchaserb wrote:Somehow that leads me to believe clamd is working just fine as is hMS. Could it be possible that the viruses are being stripped on the way to my server? So that the emails are clean when they reach clamd?

-pat

Easy to check: If the EICAR attachment is still there when you look at the mail in your mail client then it wasn't stripped :)

Best regards,

Nico

windchaserb
New user
New user
Posts: 7
Joined: 2010-10-20 01:39

Re: hMailServer, clamav on Windows Server 2008 R2

Postby windchaserb » 2010-10-23 22:14

Thanks. It seems it's just the test emails from Eicar that come through ok.

I've sent myself an 'infected' email from another website which got detected by clamd.

So it seems to be working. Not sure why the Eicar test emails don't come through. I checked further and the attachments are coming thru but not detected as containing a virus.

If anyone can shed light on this I'd be more than interested.

Thanks, Pat

User avatar
tBB
Senior user
Senior user
Posts: 268
Joined: 2009-04-17 18:10
Location: The land of Beer and Sauerkraut!
Contact:

Re: hMailServer, clamav on Windows Server 2008 R2

Postby tBB » 2010-10-23 22:26

windchaserb wrote:If anyone can shed light on this I'd be more than interested.

Well, I'd really like to but then you should answer my questions first:

tBB wrote:what EICAR variant were you using (plain, zipped, disguised)? Are you using any third party signatures (sanesecurity.ftm in particular)?

If you had let some page sent the EICAR file to you, please also tell me which one.

Best regards,

Nico

windchaserb
New user
New user
Posts: 7
Joined: 2010-10-20 01:39

Re: hMailServer, clamav on Windows Server 2008 R2

Postby windchaserb » 2010-10-23 23:05

no third party signatures.

Here are the variants I was sending
1.Sending clean... 1 OK!
2.Sending eicar.com... 1 OK!
3.Sending eicar.com.txt... 1 OK!
4.Sending eicar_com.zip... 1 OK!
5.Sending eicarcom2.zip... 1 OK!
6.Sending eicarpasswd.zip... 1 OK!
7.Sending eicarpasswdocr.zip... 1 OK!

To send the virus that was detected I logged into another webmail account I have, copied the eicar virus text into the body of the email and sent it.

Thanks, pat

User avatar
tBB
Senior user
Senior user
Posts: 268
Joined: 2009-04-17 18:10
Location: The land of Beer and Sauerkraut!
Contact:

Re: hMailServer, clamav on Windows Server 2008 R2

Postby tBB » 2010-10-24 10:58

windchaserb wrote:Here are the variants I was sending
1.Sending clean... 1 OK!
2.Sending eicar.com... 1 OK!
3.Sending eicar.com.txt... 1 OK!
4.Sending eicar_com.zip... 1 OK!
5.Sending eicarcom2.zip... 1 OK!
6.Sending eicarpasswd.zip... 1 OK!
7.Sending eicarpasswdocr.zip... 1 OK!

To send the virus that was detected I logged into another webmail account I have, copied the eicar virus text into the body of the email and sent it.

As you didn't mention what page had sent you the testfiles I can only guess that it was aleph-tec. If it was, please try another page like http://www.gfi.com/emailsecuritytest/ because aleph-tec is quite unreliable, at least over here.

Also, to have types 6. and 7. detected you would need to enable the detection of password protected archives in clamd.conf (not recommended because then every password protected archive will be flagged as infected).

Best regards,

Nico

windchaserb
New user
New user
Posts: 7
Joined: 2010-10-20 01:39

Re: hMailServer, clamav on Windows Server 2008 R2

Postby windchaserb » 2010-10-24 15:29

Thanks. I had sent those from alpha-tec. Guess they are unreliable over here in the us too.

I tried the link from gfi.com and clamd picked up allthe viruses without any problems. Looks like everything is working just fine.

Great product and thanks for the help!

-pat


Return to “Off-topic discussions”



Who is online

Users browsing this forum: No registered users and 1 guest