Mailing List Archive

adding AV scanning to working Postfix/SA system
SOHO system, on virtual machines. Fairly recent versions. Running openSUSE Leap 15.1.

Due to some recent malware (obvious stuff) wanted to add AV scanning. I gather "Amavis-new" is the hot ticket these days,

I deal with Sophos products and would like to use their linux product to do the scanning. Seems to be precious little on how to do that.

Any experiences?



---------------------------------
j4computers, llc
Stone Ridge, NY 12484
845-687-3734
www.j4computers.com
---------------------------------
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
So, beyond "experiences" any leads on generic "how to" guides that actually work in
practice? I've found a few, rather than chase geese, I'm sure some here have done
similar things, even if with other AV scanners.

> SOHO system, on virtual machines. Fairly recent versions. Running openSUSE
> Leap 15.1.
>
> Due to some recent malware (obvious stuff) wanted to add AV scanning. I
> gather "Amavis-new" is the hot ticket these days,
>
> I deal with Sophos products and would like to use their linux product to do
> the scanning. Seems to be precious little on how to do that.
>
> Any experiences?
>
>


---------------------------------
j4computers, llc
Stone Ridge, NY 12484
845-687-3734
www.j4computers.com
---------------------------------
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
On 23 Nov 2020, at 11:37, Joe Acquisto-j4 wrote:

> So, beyond "experiences" any leads on generic "how to" guides that
> actually work in
> practice? I've found a few, rather than chase geese, I'm sure some
> here have done
> similar things, even if with other AV scanners.

Well, I've used MIMEDefang with ClamAV on both Sendmail and Postfix, but
that's a bit afield from Amavis & Sophos. With both MD and Amavis, it
seems like turning on Sophos scanning is just a config switch and for
MD, picking where in the filter() block to call out to Sophos. I would
hope that buying a license from Sophos would come with some sort of
integration documentation and/or tooling from them.


>> SOHO system, on virtual machines. Fairly recent versions. Running
>> openSUSE
>> Leap 15.1.
>>
>> Due to some recent malware (obvious stuff) wanted to add AV scanning.
>> I
>> gather "Amavis-new" is the hot ticket these days,
>>
>> I deal with Sophos products and would like to use their linux product
>> to do
>> the scanning. Seems to be precious little on how to do that.
>>
>> Any experiences?
>>
>>
>
>
> ---------------------------------
> j4computers, llc
> Stone Ridge, NY 12484
> 845-687-3734
> www.j4computers.com
> ---------------------------------


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
Fuglu supports Sophos AV
See fuglu.org

On 11/23/20 5:37 PM, Joe Acquisto-j4 wrote:
> So, beyond "experiences" any leads on generic "how to" guides that actually work in
> practice? I've found a few, rather than chase geese, I'm sure some here have done
> similar things, even if with other AV scanners.
>
>> SOHO system, on virtual machines. Fairly recent versions. Running openSUSE
>> Leap 15.1.
>>
>> Due to some recent malware (obvious stuff) wanted to add AV scanning. I
>> gather "Amavis-new" is the hot ticket these days,
>>
>> I deal with Sophos products and would like to use their linux product to do
>> the scanning. Seems to be precious little on how to do that.
>>
>> Any experiences?
>>
>>
>
>
> ---------------------------------
> j4computers, llc
> Stone Ridge, NY 12484
> 845-687-3734
> www.j4computers.com
> ---------------------------------
>
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
On 11/24/20 12:40 PM, Axb wrote:
> Fuglu supports Sophos AV
> See fuglu.org

Sophos recently discontinued their support for SAVI on Linux. They now
only support "Server Central Intercept X Advanced" which is an entirely
different product.

I would also be interested in newer/supported AV alternatives.

Regards,
Dave

>
> On 11/23/20 5:37 PM, Joe Acquisto-j4 wrote:
>> So, beyond "experiences" any leads on generic "how to" guides that
>> actually work in
>> practice?   I've found a few, rather than chase geese, I'm sure some
>> here have done
>> similar things, even if with other AV scanners.
>>
>>> SOHO system, on virtual machines.   Fairly recent versions. Running
>>> openSUSE
>>> Leap 15.1.
>>>
>>> Due to some recent malware (obvious stuff) wanted to add AV
>>> scanning.   I
>>> gather "Amavis-new" is the hot ticket these days,
>>>
>>> I deal with Sophos products and would like to use their linux product
>>> to do
>>> the scanning.   Seems to be precious little on how to do that.
>>>
>>> Any experiences?
>>>
>>>
>>
>>
>> ---------------------------------
>>         j4computers, llc
>>     Stone Ridge, NY 12484
>>          845-687-3734
>>     www.j4computers.com
>> ---------------------------------
>>
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
>>
> On 11/24/20 12:40 PM, Axb wrote:
>> Fuglu supports Sophos AV
>> See fuglu.org
>
> Sophos recently discontinued their support for SAVI on Linux. They now
> only support "Server Central Intercept X Advanced" which is an entirely
> different product.
>
> I would also be interested in newer/supported AV alternatives.
>
> Regards,
> Dave
>

Well, that's a fine how do ya do. Eh, this was more an "exercise" project anyway. I suppose almost any scanner with
reasonable updating capability will do fine.



---------------------------------
j4computers, llc
Stone Ridge, NY 12484
845-687-3734
www.j4computers.com
---------------------------------
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
>
> On 11/24/20 12:40 PM, Axb wrote:
>> Fuglu supports Sophos AV
>> See fuglu.org
>
> Sophos recently discontinued their support for SAVI on Linux. They now
> only support "Server Central Intercept X Advanced" which is an entirely
> different product.
>
> I would also be interested in newer/supported AV alternatives.
>
> Regards,
> Dave
>

Where did you hear this? I was just informed it will continue until 2023 at least.

The "Free" version is no longer available, apparently, but the "endpoint" product is still there
for paying customers.

joe a.

---------------------------------
j4computers, llc
Stone Ridge, NY 12484
845-687-3734
www.j4computers.com
---------------------------------
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
On 11/30/20 7:00 PM, Joe Acquisto-j4 wrote:
>>
>> On 11/24/20 12:40 PM, Axb wrote:
>>> Fuglu supports Sophos AV
>>> See fuglu.org
>>
>> Sophos recently discontinued their support for SAVI on Linux. They now
>> only support "Server Central Intercept X Advanced" which is an entirely
>> different product.
>>
>> I would also be interested in newer/supported AV alternatives.
>>
>> Regards,
>> Dave
>>
>
> Where did you hear this? I was just informed it will continue until 2023 at least.
>
> The "Free" version is no longer available, apparently, but the "endpoint" product is still there
> for paying customers.

Directly from my contact there - it was labeled end-of-sale this past
July. It has an end-of-life date of July 2023. Support will continue to
support that solution until then, but they will no longer offer new
subscriptions to customers.

Regards,
Dave

>
> joe a.
>
> ---------------------------------
> j4computers, llc
> Stone Ridge, NY 12484
> 845-687-3734
> www.j4computers.com
> ---------------------------------
>
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
Il 19/11/20 00:43, Joe Acquisto-j4 ha scritto:
> SOHO system, on virtual machines. Fairly recent versions. Running openSUSE Leap 15.1.
>
> Due to some recent malware (obvious stuff) wanted to add AV scanning. I gather "Amavis-new" is the hot ticket these days,
>
> I deal with Sophos products and would like to use their linux product to do the scanning. Seems to be precious little on how to do that.
>
> Any experiences?

You can try with MessageSniffer:

https://www.armresearch.com/

Is an antispam/antivirus engine that can run on Linux and have a plugin
for Spamassassin.

I'm using it, works quite well at the right price.

--
Alessio Cecchi
Postmaster @ http://www.qboxmail.it
https://www.linkedin.com/in/alessice
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
> Am 23.11.20 um 17:37 schrieb Joe Acquisto-j4:
>> So, beyond "experiences" any leads on generic "how to" guides that actually
> work in
>> practice? I've found a few, rather than chase geese, I'm sure some here
> have done
>> similar things, even if with other AV scanners
>
> http://www.postfix.org/MILTER_README.html
> https://sanesecurity.com/
>
. . .

I decided to pursue CLAMAV as it seems to be well maintained and lots of "links for dummies" turned up.

After installing CLAMAV, as supplied in the openSuse distribution, updating virus sigs I attempted to begin
configuring per some of the how to's.

Most are years old, have links that lead nowhere, call out config files that do not exist (as installed above),
or refer to "clamd sockets" that cannot be found.

I feel sure this is old hat to more experienced souls, but, for me, this has been far more frustrating than I
anticipated.

At this point, not even sure what I actually need as, as noted, there seem to be myriad ways to approach a
solution. Obviously prefer the simplest method.

Subscribed just now to CLAMAV users list and should probably pursue this over there. But any tutoring and
or "there there" pats on the head would not be snarled at.
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
>> Am 23.11.20 um 17:37 schrieb Joe Acquisto-j4:
So, beyond "experiences" any leads on generic "how to" guides that actually
>> work in
>>> practice? I've found a few, rather than chase geese, I'm sure some here
>> have done
>>> similar things, even if with other AV scanners
>>
>> http://www.postfix.org/MILTER_README.html
>> https://sanesecurity.com/
>>
> . . .
>
> I decided to pursue CLAMAV as it seems to be well maintained and lots of
> "links for dummies" turned up.
>
> After installing CLAMAV, as supplied in the openSuse distribution, updating
> virus sigs I attempted to begin
> configuring per some of the how to's.
>
> Most are years old, have links that lead nowhere, call out config files that
> do not exist (as installed above),
> or refer to "clamd sockets" that cannot be found.
>
> I feel sure this is old hat to more experienced souls, but, for me, this has
> been far more frustrating than I
> anticipated.
>
> At this point, not even sure what I actually need as, as noted, there seem
> to be myriad ways to approach a
> solution. Obviously prefer the simplest method.
>
> Subscribed just now to CLAMAV users list and should probably pursue this
> over there. But any tutoring and
> or "there there" pats on the head would not be snarled at.

Hacking away, seem to have it working?, Using CLAMAVPlugin. At least mail
does not appear "broken".

But EICAR is not detected. I "think" it is being scanned as I see this:

*********************************
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on auxilary
X-Spam-Level: *
X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
HTML_MESSAGE,SPOOFED_FREEMAIL_NO_RDNS,TVD_SPACE_RATIO autolearn=no
autolearn_force=no version=3.4.2
X-Spam-Virus: _CLAMAVRESULT
X-Spam-Report:
* -1.5 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
* 1.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
* provider (joe.acquisto[at]gmail.com)
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 TVD_SPACE_RATIO No description available.
* 1.5 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
*************************

Is that proof it is being scanned and the non detection issue lies elsewhere?

joe a.
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
On 02-12-2020 16:18, Joe Acquisto-j4 wrote:
> X-Spam-Virus: _CLAMAVRESULT

I never integrated Clam using this plugin, but this seems a config typo
to be: there should be a Yes/No in there, and optionally a virus name.

Kind regards,

Tom
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
On Wed, 2 Dec 2020, Tom Hendrikx wrote:

>
>
> On 02-12-2020 16:18, Joe Acquisto-j4 wrote:
>> X-Spam-Virus: _CLAMAVRESULT
>
> I never integrated Clam using this plugin, but this seems a config typo to
> be: there should be a Yes/No in there, and optionally a virus name.
>

Yes, it looks like he's got a type-o in there. The config line should be:
"add_header spam Clamav _CLAMAVRESULT_"
in a .cf someplace.
Then the plugin will add that 'X-Spam-Virus:' header with the text "Yes"
followed by the name of the virus detected.

You can then use the value of that header in other rules to add points for
various kinds of things detected or "meta"ed with other rules.




--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
On Wed, 2 Dec 2020, Joe Acquisto-j4 wrote:

> Hacking away, seem to have it working?, Using CLAMAVPlugin. At least mail
> does not appear "broken".
>
> But EICAR is not detected. I "think" it is being scanned as I see this:
>
> *********************************
> X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on auxilary
> X-Spam-Level: *
> X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
> HTML_MESSAGE,SPOOFED_FREEMAIL_NO_RDNS,TVD_SPACE_RATIO autolearn=no
> autolearn_force=no version=3.4.2
> X-Spam-Virus: _CLAMAVRESULT
> X-Spam-Report:
> * -1.5 BAYES_00 BODY: Bayes spam probability is 0 to 1%
> * [score: 0.0000]
> * 1.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
> * provider (joe.acquisto[at]gmail.com)
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * 0.0 TVD_SPACE_RATIO No description available.
> * 1.5 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
> *************************
>
> Is that proof it is being scanned and the non detection issue lies elsewhere?
>
> joe a.

What, specifically, is the config you're using to invoke CLAMAVPlugin?

You need to have at least two things set up in your spamassassin config files:
1) load the plugin in a "v*.pre"
2) invoke the check_clamav() procedure

EG:
in v320.pre

# AntiVirus - some simple anti-virus checks, this is not a replacement
# for an anti-virus filter like Clam AntiVirus
#
#loadplugin Mail::SpamAssassin::Plugin::AntiVirus
#
loadplugin ClamAV /usr/local/etc/mail/spamassassin/plugins/clamav.pm

Note that line depends on the path to where you've installed the plugin

In a ".cf" rules file (I call mine clamav.cf ):

#
# config file for using the ClamAV plugin "clamav.pm"
#
full L_CLAMAV eval:check_clamav()
describe L_CLAMAV Clam AntiVirus detected a virus
score L_CLAMAV 5
#
header T__MY_CLAMAV X-Spam-Virus =~ /Yes/i
header T__MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
#



--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
>>>
> On Wed, 2 Dec 2020, Joe Acquisto-j4 wrote:
>
>> Hacking away, seem to have it working?, Using CLAMAVPlugin. At least mail
>> does not appear "broken".
>>
>> But EICAR is not detected. I "think" it is being scanned as I see this:
>>
>> *********************************
>> X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on auxilary
>> X-Spam-Level: *
>> X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
>> HTML_MESSAGE,SPOOFED_FREEMAIL_NO_RDNS,TVD_SPACE_RATIO autolearn=no
>> autolearn_force=no version=3.4.2
>> X-Spam-Virus: _CLAMAVRESULT
>> X-Spam-Report:
>> * -1.5 BAYES_00 BODY: Bayes spam probability is 0 to 1%
>> * [score: 0.0000]
>> * 1.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
>> * provider (joe.acquisto[at]gmail.com)
>> * 0.0 HTML_MESSAGE BODY: HTML included in message
>> * 0.0 TVD_SPACE_RATIO No description available.
>> * 1.5 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
>> *************************
>>
>> Is that proof it is being scanned and the non detection issue lies
> elsewhere?
>>
>> joe a.
>
> What, specifically, is the config you're using to invoke CLAMAVPlugin?

I followed using some guess work, the blurb I found on the spamassassin site
where I found CLAMVPlugin. Not reall clear for a slowing noob.

I had to look up how to compile the required perl package, which went without
fuss, copied and pasted the "config" files noted, only adding read rights (for root)
as something complained about no access and edited the "socket" path to what
CLAMD claims it uses.

And restarted spamd and clamd. That's it.

> You need to have at least two things set up in your spamassassin config
> files:
> 1) load the plugin in a "v*.pre"
> 2) invoke the check_clamav() procedure
>
> EG:
> in v320.pre
>
> # AntiVirus - some simple anti-virus checks, this is not a replacement
> # for an anti-virus filter like Clam AntiVirus
> #
> #loadplugin Mail::SpamAssassin::Plugin::AntiVirus
> #
> loadplugin ClamAV /usr/local/etc/mail/spamassassin/plugins/clamav.pm
>
> Note that line depends on the path to where you've installed the plugin
>
> In a ".cf" rules file (I call mine clamav.cf ):
>
> #
> # config file for using the ClamAV plugin "clamav.pm"
> #
> full L_CLAMAV eval:check_clamav()
> describe L_CLAMAV Clam AntiVirus detected a virus
> score L_CLAMAV 5
> #
> header T__MY_CLAMAV X-Spam-Virus =~ /Yes/i
> header T__MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
> #
>
>

I was wondering at how the "magic" happened. Found this in v.310.pre,
no other references to clam found in the pre files or local.cf.:

# AntiVirus - some simple anti-virus checks, this is not a replacement
# for an anti-virus filter like Clam AntiVirus
#
#loadplugin Mail::SpamAssassin::Plugin::AntiVirus

# AWL - do auto-whitelist checks
#
#loadplugin Mail::SpamAssassin::Plugin::AWL
# AntiVirus - some simple anti-virus checks, this is not a replacement
# for an anti-virus filter like Clam AntiVirus
#
#loadplugin Mail::SpamAssassin::Plugin::AntiVirus

# AWL - do auto-whitelist checks
#
#loadplugin Mail::SpamAssassin::Plugin::AWL
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
>On Wed, 2 Dec 2020, Tom Hendrikx wrote:
>
>>
>>
>> On 02-12-2020 16:18, Joe Acquisto-j4 wrote:
X-Spam-Virus: _CLAMAVRESULT
>>
>> I never integrated Clam using this plugin, but this seems a config typo to
>> be: there should be a Yes/No in there, and optionally a virus name.
>>
>
> Yes, it looks like he's got a type-o in there. The config line should be:
> "add_header spam Clamav _CLAMAVRESULT_"
> in a .cf someplace.
> Then the plugin will add that 'X-Spam-Virus:' header with the text "Yes"
> followed by the name of the virus detected.
>
> You can then use the value of that header in other rules to add points for
> various kinds of things detected or "meta"ed with other rules.
>
>
>

This is clamd.cf:
------
loadplugin ClamAV clamav.pm
full CLAMAV eval:check_clamav()
describe CLAMAV Clam AntiVirus detected a virus
score CLAMAV 10
add_header all Virus _CLAMAVRESULT
-------
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
> On Wed, 2 Dec 2020, Tom Hendrikx wrote:
>
>>
>>
>> On 02-12-2020 16:18, Joe Acquisto-j4 wrote:
X-Spam-Virus: _CLAMAVRESULT
>>
>> I never integrated Clam using this plugin, but this seems a config
typo to
>> be: there should be a Yes/No in there, and optionally a virus name.
>>
>
> Yes, it looks like he's got a type-o in there. The config line should
be:
> "add_header spam Clamav _CLAMAVRESULT_"
> in a .cf someplace.
> Then the plugin will add that 'X-Spam-Virus:' header with the text
"Yes"
> followed by the name of the virus detected.
>
> You can then use the value of that header in other rules to add
points for
> various kinds of things detected or "meta"ed with other rules.
>
>

Is this normal, to show disable like that?

:~ # systemctl status clamd.service
clamd.service - Clamav antivirus Deamon Loaded: loaded
(/usr/lib/systemd/system/clamd.service; disabled; vendor preset:
disabled)
Active: active (running) since Wed 2020-12-02 10:57:33 EST; 3h 33min
ago
Process: 8000 ExecStart=/usr/sbin/clamd (code=exited,
status=0/SUCCESS)
Main PID: 8002 (clamd)
Tasks: 2 (limit: 4915)
CGroup: /system.slice/clamd.service
??8002 /usr/sbin/clamd

I did systemcrl enable clamd.service, it created a symlink, restarted
services and . . .none of that did it.

Then I looked over the clamv.cf again and noticed the missing training
underscore "add_header all Virus _CLAMAVRESULT_"

At least is now says "No" for supposedly non infected messages.

Thanks for the assistance.

joe a
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
Malware is not being detected in the test form

------------------------------
Return-path: <eicar@aleph-tec.com>
Received: from aux.a.com ([192.168.0.xx1])
by mail with ESMTP; Wed, 02 Dec 2020 19:30:16 -0500
Received: by aux.a.com (Postfix, from userid 1004)
id 1D0F729D74; Wed, 2 Dec 2020 19:30:16 -0500 (EST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on auxilary
X-Spam-Level:
X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00 autolearn=ham
autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Spam-Report:
* -1.5 BAYES_00 BODY: Bayes spam probability is 0 to 1%
* [score: 0.0000]
Received: from auxilary (localhost [127.0.0.1])
by aux.a.com (Postfix) with ESMTP id 853C029D72
----------------------------

Might verbose or debug level loggin be of any help? Not seeing anything different when I tail /var/log/mail.


joe a.
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
On Wed, 02 Dec 2020 19:38:22 -0500
Joe Acquisto-j4 wrote:

> Malware is not being detected in the test form

Just to be clear, do you have EICAR as an attached .com file?
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
> On Wed, 02 Dec 2020 19:38:22 -0500
> Joe Acquisto-j4 wrote:
>
>> Malware is not being detected in the test form
>
> Just to be clear, do you have EICAR as an attached .com file?

I thought so, but it appears not. <eicar@aleph-tec.com> has a form
that has both "clean" a eicar.com attachment selected and I assumed
both would be sent. And perhaps they were and one got stripped off
at the provider.

Right now am having a difficult time getting my provider
to allow even the EICAR file through their system. They want to help
but seem stymied by some issue.

Telnet from a local machine may be my next effort.

joe a.
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
> Am 03.12.20 um 03:00 schrieb Joe Acquisto-j4:
On Wed, 02 Dec 2020 19:38:22 -0500
>>> Joe Acquisto-j4 wrote:
>>>
>>>> Malware is not being detected in the test form
>>>
>>> Just to be clear, do you have EICAR as an attached .com file?
>>
>> I thought so, but it appears not. <eicar@aleph-tec.com> has a form
>> that has both "clean" a eicar.com attachment selected and I assumed
>> both would be sent. And perhaps they were and one got stripped off
>> at the provider.
>>
>> Right now am having a difficult time getting my provider
>> to allow even the EICAR file through their system. They want to help
>> but seem stymied by some issue.
>>
>> Telnet from a local machine may be my next effort
>
> seriously?
>
> just save the mail from the drafts folder, move the eml file to the
> server and run spamassassin as the correct user
>
> spamassassin -t < sample.eml

Dude!

From what it output to the screen, it appears to have worked.

A snippet for your amusement:

----------------------------------
Spam detection software, running on the system "auxilary",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
admin@j4computers.com for details.

Content preview: heller

Content analysis details: (8.1 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.0 NO_RELAYS Informational: message was not relayed via SMTP
10 CLAMAV Clam AntiVirus detected a virus
[Win.Test.EICAR_HDB-1]
-0.0 NO_RECEIVED Informational: message has no Received headers
0.0 BODY_SINGLE_WORD Message body is only one word (no spaces)
-------------------------

Did not deliver the message anywhere that I could see, but I guess that is expected.
I know I can find documents somewhere . . .


Thanks.
Re: adding AV scanning to working Postfix/SA system [ In reply to ]
> What, specifically, is the config you're using to invoke CLAMAVPlugin?
>
> You need to have at least two things set up in your spamassassin config
> files:
> 1) load the plugin in a "v*.pre"
> 2) invoke the check_clamav() procedure
>
> EG:
> in v320.pre
>
> # AntiVirus - some simple anti-virus checks, this is not a replacement
> # for an anti-virus filter like Clam AntiVirus
> #
> #loadplugin Mail::SpamAssassin::Plugin::AntiVirus
> #
> loadplugin ClamAV /usr/local/etc/mail/spamassassin/plugins/clamav.pm
>
> Note that line depends on the path to where you've installed the plugin
>
> In a ".cf" rules file (I call mine clamav.cf ):
>

As a check, I commented out the loadplugin line for ClamvAV, did
systemctl restart spamd.service and systemctl restart clamd.service (which take a good
40 seconds to complete, while spamd restarts almost instantly.

using spamassassin -t < testfile.eml, it still reports ClamAV found a virus and names it. (eica)

Soooo, I have no idea how the plugin is loading. I have not found any other .pre files loading it.

Dunno if this may help -

SpamAssassin version 3.4.2
running on Perl version 5.26.1

joea