[clamav-users] ClamAV+exim: scanner finds not a single malware

Michael Heseltine heseltine.michael at googlemail.com
Mon May 23 07:43:55 EDT 2016


Hello all,
I have recently modified my exim (4.82) configuration so that all 
messages pass through clamav (0.99.2) first. Anything labeled as malware 
should be rejected while the incoming SMTP connection is still open 
(using an *acl_smtp_data* in exim).

But so far, this setup has not detected a single malware. All messages 
pass though without any notices:

> *Mon May 23 13:26:09 2016 -> 
> /var/spool/exim4/scan/1b4nzo-0001Nu-CQ/1b4nzo-0001Nu-CQ.eml: OK**
> **Mon May 23 13:26:23 2016 -> 
> /var/spool/exim4/scan/1b4o07-0001O3-B2/1b4o07-0001O3-B2.eml: OK**
> **Mon May 23 13:27:51 2016 -> 
> /var/spool/exim4/scan/1b4o1W-0001Ot-Ve/1b4o1W-0001Ot-Ve.eml: OK**
> **Mon May 23 13:28:08 2016 -> 
> /var/spool/exim4/scan/1b4o1o-0001PF-BL/1b4o1o-0001PF-BL.eml: OK**
> **Mon May 23 13:29:01 2016 -> 
> /var/spool/exim4/scan/1b4o2f-0001PT-AL/1b4o2f-0001PT-AL.eml: OK**
> **Mon May 23 13:29:10 2016 -> 
> /var/spool/exim4/scan/1b4o2n-0001Pb-0B/1b4o2n-0001Pb-0B.eml: OK**
> **Mon May 23 13:29:15 2016 -> 
> /var/spool/exim4/scan/1b4o2s-0001Pp-SZ/1b4o2s-0001Pp-SZ.eml: OK**
> **Mon May 23 13:29:25 2016 -> 
> /var/spool/exim4/scan/1b4o33-0001Px-03/1b4o33-0001Px-03.eml: OK**
> **Mon May 23 13:29:44 2016 -> 
> /var/spool/exim4/scan/1b4o33-0001Pw-BG/1b4o33-0001Pw-BG.eml: OK**
> **Mon May 23 13:30:03 2016 -> 
> /var/spool/exim4/scan/1b4o3e-0001QL-IC/1b4o3e-0001QL-IC.eml: OK**
> **Mon May 23 13:30:41 2016 -> 
> /var/spool/exim4/scan/1b4o4G-0001Sd-V5/1b4o4G-0001Sd-V5.eml: OK**
> *

The last six of those were E-Mails containing the Locky trojan 
(according to Avast antivirus on Windows 10), though. Can't ClamAV 
detect that?

These are the log lines my clamav installation writes on startup:

> *Sun May 22 12:47:50 2016 -> clamd daemon 0.99.2 (OS: linux-gnu, ARCH: 
> x86_64, CPU: x86_64)**
> **Sun May 22 12:47:50 2016 -> Log file size limited to 4294967295 bytes.**
> **Sun May 22 12:47:50 2016 -> Reading databases from /var/lib/clamav**
> **Sun May 22 12:47:50 2016 -> Not loading PUA signatures.**
> **Sun May 22 12:47:50 2016 -> Bytecode: Security mode set to 
> "TrustSigned".**
> **Sun May 22 12:47:55 2016 -> Loaded 4381396 signatures.**
> **Sun May 22 12:47:55 2016 -> LOCAL: Unix socket file 
> /var/run/clamav/clamd.ctl**
> **Sun May 22 12:47:55 2016 -> LOCAL: Setting connection queue length 
> to 15**
> **Sun May 22 12:47:55 2016 -> Limits: Global size limit set to 
> 104857600 bytes.**
> **Sun May 22 12:47:55 2016 -> Limits: File size limit set to 26214400 
> bytes.**
> **Sun May 22 12:47:55 2016 -> Limits: Recursion level limit set to 10.**
> **Sun May 22 12:47:55 2016 -> Limits: Files limit set to 10000.**
> **Sun May 22 12:47:55 2016 -> Limits: Core-dump limit is 0.**
> **Sun May 22 12:47:55 2016 -> Limits: MaxEmbeddedPE limit set to 
> 10485760 bytes.**
> **Sun May 22 12:47:55 2016 -> Limits: MaxHTMLNormalize limit set to 
> 10485760 bytes.**
> **Sun May 22 12:47:55 2016 -> Limits: MaxHTMLNoTags limit set to 
> 2097152 bytes.**
> **Sun May 22 12:47:55 2016 -> Limits: MaxScriptNormalize limit set to 
> 5242880 bytes.**
> **Sun May 22 12:47:55 2016 -> Limits: MaxZipTypeRcg limit set to 
> 1048576 bytes.**
> **Sun May 22 12:47:55 2016 -> Limits: MaxPartitions limit set to 50.**
> **Sun May 22 12:47:55 2016 -> Limits: MaxIconsPE limit set to 100.**
> **Sun May 22 12:47:55 2016 -> Limits: MaxRecHWP3 limit set to 16.**
> **Sun May 22 12:47:55 2016 -> Limits: PCREMatchLimit limit set to 10000.**
> **Sun May 22 12:47:55 2016 -> Limits: PCRERecMatchLimit limit set to 
> 5000.**
> **Sun May 22 12:47:55 2016 -> Limits: PCREMaxFileSize limit set to 
> 26214400.**
> **Sun May 22 12:47:55 2016 -> Archive support enabled.**
> **Sun May 22 12:47:55 2016 -> Algorithmic detection enabled.**
> **Sun May 22 12:47:55 2016 -> Portable Executable support enabled.**
> **Sun May 22 12:47:55 2016 -> ELF support enabled.**
> **Sun May 22 12:47:55 2016 -> Mail files support enabled.**
> **Sun May 22 12:47:55 2016 -> OLE2 support enabled.**
> **Sun May 22 12:47:55 2016 -> PDF support enabled.**
> **Sun May 22 12:47:55 2016 -> SWF support enabled.**
> **Sun May 22 12:47:55 2016 -> HTML support enabled.**
> Sun May 22 12:47:55 2016 -> XMLDOCS support enabled.
> Sun May 22 12:47:55 2016 -> HWP3 support enabled.
> Sun May 22 12:47:55 2016 -> Self checking every 3600 seconds.
> Sun May 22 12:47:55 2016 -> Listening daemon: PID: 535
> Sun May 22 12:47:55 2016 -> MaxQueue set to: 100
>
> *
I gather from those that I'm running the most recent version of clamav 
with the most recent signatures. So what is the problem? The only thing 
that clamav hes ever rejected on my system was a test e-mail containing 
the EICAR test string in the message body.

Could this be a problem with the message format? Do I have to setup 
anything special in order for this to work?

What additional data I can provide do you need? Any help is appreciated

Best regards, Michael




More information about the clamav-users mailing list