[Rspamd-Users] Antivirus problem

Wed Apr 22 08:37:48 UTC 2020

Hello all,

I'm facing a problem with our Clamav/Rspamd. I configured the antivirus
module to set a symbol if an OLE2 Macro is detected by the clamav engine.
Work's fine so far, but I have seen that when it detects a macro it also
sets the CLAM_VIRUS_FAIL symbol, which I have configured in a
force_action rule to temporarily reject the mail if there is a problem
with the antivirus. So mails are rejected every time it finds a ole2
macro. Do not know how long this is going on....
No errors in the clamav log.

Here my antivurus.conf:
clamav {
  scan_mime_parts = true;
  scan_text_mime = true;
  scan_image_mime = true;
  #action = "reject";
  score = 18;
  symbol = "CLAM_VIRUS";
  type = "clamav";
  log_clean = true;
  servers = "/var/run/clamd.scan/clamd.sock";
  #servers = "10.10.100.28:3310";
  whitelist = "/etc/rspamd/maps/antivirus.wl";
  max_size = 20000000;

  patterns {
    CLAM_OLE2MACRO = '^Heuristics\.OLE2\.ContainsMacros$';
  }
}

and the force_action rule:

    CLAMAV_FEHLER {
        # Soft Reject when Clamav is not working.
        action = "soft reject";
        expression = "CLAM_VIRUS_FAIL";
        message = "Antivirus temporarily not available.";
    }

and here a log entry from Rpamd:

2020-04-22 10:27:34 #18013(main) <xxxz3e>; lua; force_actions.lua:167:
Registered symbol FORCE_ACTION_CLAMAV_FEHLER <CLAM_VIRUS_FAIL> with
dependencies [CLAM_VIRUS_FAIL]
2020-04-22 10:28:21 #26096(rspamd_proxy) <dce58b>; proxy;
rspamd_task_write_log: id:
<2C60CE16539B5F49A17C6E98767C06A40153F6C8228A at MASTER.projektservice.local>,
qid: <496YTg2sl7z4wLm>, ip: 217.199.7.120, from: <11 at sender.com>,
(default: F (soft reject): [8.20/15.00]
[CLAM_OLE2MACRO(7.00){Heuristics.OLE2.ContainsMacros;},HFILTER_HELO_IP_A(1.00){remote.hoeller-klotzner.com;},MX_GOOD(-0.50){cached:
relay2.bkom.it;},SUBJECT_ENDS_SPACES(0.50){},HFILTER_HELO_NORES_A_OR_MX(0.30){remote.hoeller-klotzner.com;},MIME_GOOD(-0.10){multipart/mixed;multipart/alternative;text/plain;},ARC_NA(0.00){},ASN(0.00){asn:20811,
ipnet:217.199.0.0/19, country:IT;},CLAM_VIRUS_FAIL(0.00){failed to scan
and retransmits
exceed;},DMARC_NA(0.00){hoeller-klotzner.com;},FORCE_ACTION_CLAMAV_FEHLER(0.00){soft
reject;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},GENERIC_REPUTATION(0.00){-0.72763996231947;},HAS_ATTACHMENT(0.00){},IP_REPUTATION_HAM(0.00){asn:
20811(-0.21), country: IT(-0.00), ip:
217.199.7.120(-0.73);},MIME_TRACE(0.00){0:+;1:+;2:+;3:~;4:~;5:~;6:~;7:~;...;},MSOFFICE_EXTENSION(0.00){xls;xlsx;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},R_DKIM_NA(0.00){},R_SPF_NA(0.00){no
SPF record;},TO_DN_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len:
5493537, time: 15186.710ms, dns req: 25, digest:
<5a69155ddf87a0a234ebb90d4ecfb989>, rcpts: <abcde at customer.eu>,
mime_rcpts: <abcde at customer.eu>, forced: soft reject "Antivirus
temporarily not available."; score=nan (set by force_actions)

any help to debug this would be very appreciated.

Thanks,
Thomas