[Rspamd-Users] Clamav Rspamd not reject virus

Emanuel Gonzalez emanuel_gonzalez at live.com.ar
Fri Jan 11 14:11:44 UTC 2019 

Hello.!! thanks for the reply, but no work.!!

X-Spam-Score: 0.9
X-Spam-Score-Int: 9
X-Spam-Bar: /
X-Spam-Report: Action: reject
 Symbol: RCVD_VIA_SMTP_AUTH(0.00)
 Symbol: R_SPF_ALLOW(-0.20)
 Symbol: HAS_ATTACHMENT(0.00)
 Symbol: TO_DN_NONE(0.00)
 Symbol: MX_GOOD(0.00)
 Symbol: HAS_X_ANTIABUSE(0.00)
 Symbol: FROM_EQ_ENVFROM(0.00)
 Symbol: R_DKIM_NA(0.00)
 Symbol: MIME_TRACE(0.00)
 Symbol: ASN(0.00)
 Symbol: MID_RHS_MATCH_FROM(0.00)
 Symbol: MIME_UNKNOWN(0.10)
 Symbol: ARC_NA(0.00)
 Symbol: FROM_HAS_DN(0.00)
 Symbol: TO_MATCH_ENVRCPT_ALL(0.00)
 Symbol: MIME_GOOD(-0.10)
 Symbol: DMARC_NA(0.00)
 Symbol: MIME_BAD_ATTACHMENT(1.60)
 Symbol: RCPT_COUNT_ONE(0.00)
 Symbol: HTML_SHORT_LINK_IMG_2(1.00)
 Symbol: IP_SCORE(-3.46)
 Symbol: RCVD_IN_DNSWL_NONE(0.00)
 Symbol: MIME_BAD_EXTENSION(2.00)
 Symbol: RCVD_COUNT_TWO(0.00)
 Symbol: JUST_EICAR(0.00)
 Symbol: RCVD_TLS_ALL(0.00)
 Message: (SPF): spf allow
 Message: clamav: virus found: "Eicar-Test-Signature"

p: 200.58.109.74, from: <emanuel.gonzalez at x.com>, (default: T (reject): [0.92/nan] [IP_SCORE(-3.48){ip: (-9.20), ipnet: 200.58.109.0/24(-4.57), asn: 27823(-3.56), country: AR(-0.05);},MIME_BAD_EXTENSION(2.00){exe;},MIME_BAD_ATTACHMENT(1.60){exe;},HTML_SHORT_LINK_IMG_2(1.00){},R_SPF_ALLOW(-0.20){+ip4:200.58.96.0/20;},MIME_GOOD(-0.10){multipart/mixed;multipart/alternative;text/plain;},MIME_UNKNOWN(0.10){application/x-msdos-program;},ARC_NA(0.00){},ASN(0.00){asn:27823, ipnet:200.58.109.0/24, country:AR;},DMARC_NA(0.00){x.com;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},HAS_X_ANTIABUSE(0.00){},JUST_EICAR(0.00){Eicar-Test-Signature;},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:+;4:-;4:~;},MX_GOOD(0.00){cached: mx1.x.com;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_IN_DNSWL_NONE(0.00){74.109.58.200.list.dnswl.org : 127.0.5.0;},RCVD_TLS_ALL(0.00){},RCVD_VIA_SMTP_AUTH(0.00){},R_DKIM_NA(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 9676, time: 2665.687ms real, 16.254ms virtual, dns req: 43, digest: <8c2e51dff3b1514a438e25895fa3fbbd>, rcpts: <bid.bid at x.tk>, mime_rcpts: <bid.bid at x.tk>, forced: reject "clamav: virus found: "Eicar-Test-Signature""; score=nan (set by antivirus)


any ideas.?
________________________________
De: Carsten Rosenberg <cr at ncxs.de>
Enviado: viernes, 11 de enero de 2019 11:01
Para: Emanuel Gonzalez
Asunto: Re: [Rspamd-Users] Clamav Rspamd not reject virus

Hey the symbol for the Eicar is rewritten by pattern to another symbol.

 >      patterns {
 >          JUST_EICAR = "^Eicar-Test-Signature$";
 >      }

The normal symbol CLAM_VIRUS would trigger the reject.

Just comment the patterns section and try again.

--

Carsten

On 11.01.19 14:51, Emanuel Gonzalez wrote:
> Good morning to everybody, i use exim with rspamd and clamav.
>
> when sending an email with a virus, it is not automatically discarded by rspamd
>
> 2019-01-11 10:45:51 #5552(normal) <020f61>; task; rspamd_task_write_log: id: <3ebd3b84-c6d7-8af1-a8ba-b217796cb9e3 at x.com>, qid: <1ghx88-0000e7-Nd>, ip: 200.58.109.74, from: <emanuel.gonzalez at x.com>, (default: T (reject): [0.87/nan] [IP_SCORE(-3.53){ip: (-9.39), ipnet: 200.58.109.0/24(-4.66), asn: 27823(-3.56), country: AR(-0.05);},MIME_BAD_EXTENSION(2.00){exe;},MIME_BAD_ATTACHMENT(1.60){exe;},HTML_SHORT_LINK_IMG_2(1.00){},R_SPF_ALLOW(-0.20){+ip4:200.58.96.0/20;},MIME_GOOD(-0.10){multipart/mixed;multipart/alternative;text/plain;},MIME_UNKNOWN(0.10){application/x-msdos-program;},ARC_NA(0.00){},ASN(0.00){asn:27823, ipnet:200.58.109.0/24, country:AR;},DMARC_NA(0.00){x.com;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_ATTACHMENT(0.00){},HAS_X_ANTIABUSE(0.00){},JUST_EICAR(0.00){Eicar-Test-Signature;},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:+;4:-;4:~;},MX_GOOD(0.00){cached: mx1.x.com;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_IN_DNSWL_NONE(0.00){74.109.58.200
>   .list.dnswl.org : 127.0.5.0;},RCVD_TLS_ALL(0.00){},RCVD_VIA_SMTP_AUTH(0.00){},R_DKIM_NA(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 9670, time: 831.345ms real, 10.011ms virtual, dns req: 43, digest: <88311d5681415f7345c8ecbdad01759b>, rcpts: <bid.bid at x.tk>, mime_rcpts: <bid.bid at x.tk>, forced: reject "clamav: virus found: "Eicar-Test-Signature""; score=nan (set by antivirus)
>
> clamav log:
>
> ELF support enabled.
> Mail files support enabled.
> OLE2 support enabled.
> PDF support enabled.
> SWF support enabled.
> HTML support enabled.
> XMLDOCS support enabled.
> HWP3 support enabled.
> Self checking every 600 seconds.
> instream(127.0.0.1 at 57908): Eicar-Test-Signature FOUND
>
> ####
>
> antivirus.conf
>
> clamav {
>      attachments_only = true;
>      symbol = "CLAM_VIRUS";
>      message = "${SCANNER}: virus found: \"${VIRUS}\"";
>      log_clean = true;
>      patterns {
>          JUST_EICAR = "^Eicar-Test-Signature$";
>      }
>      max_size = 20000000;
>      type = "clamav";
>      whitelist = "/etc/rspamd/antivirus.wl";
>      servers = "127.0.0.1:3310";
>      action = "reject";
> }
>
> the virus is detected in the attachment but I receive it in my inbox
>
> any ideas.?
>

More information about the Users mailing list