[Rspamd-Users] Antivirus problem

Thomas Plant thomas at plant.systems
Wed Apr 22 08:37:48 UTC 2020

Hello all,

I'm facing a problem with our Clamav/Rspamd. I configured the antivirus
module to set a symbol if an OLE2 Macro is detected by the clamav engine.
Work's fine so far, but I have seen that when it detects a macro it also
sets the CLAM_VIRUS_FAIL symbol, which I have configured in a
force_action rule to temporarily reject the mail if there is a problem
with the antivirus. So mails are rejected every time it finds a ole2
macro. Do not know how long this is going on....
No errors in the clamav log.

Here my antivurus.conf:
clamav {
  scan_mime_parts = true;
  scan_text_mime = true;
  scan_image_mime = true;
  #action = "reject";
  score = 18;
  symbol = "CLAM_VIRUS";
  type = "clamav";
  log_clean = true;
  servers = "/var/run/clamd.scan/clamd.sock";
  #servers = "";
  whitelist = "/etc/rspamd/maps/antivirus.wl";
  max_size = 20000000;

  patterns {
    CLAM_OLE2MACRO = '^Heuristics\.OLE2\.ContainsMacros$';

and the force_action rule:

        # Soft Reject when Clamav is not working.
        action = "soft reject";
        expression = "CLAM_VIRUS_FAIL";
        message = "Antivirus temporarily not available.";

and here a log entry from Rpamd:

2020-04-22 10:27:34 #18013(main) <xxxz3e>; lua; force_actions.lua:167:
dependencies [CLAM_VIRUS_FAIL]
2020-04-22 10:28:21 #26096(rspamd_proxy) <dce58b>; proxy;
rspamd_task_write_log: id:
<2C60CE16539B5F49A17C6E98767C06A40153F6C8228A at MASTER.projektservice.local>,
qid: <496YTg2sl7z4wLm>, ip:, from: <11 at sender.com>,
(default: F (soft reject): [8.20/15.00]
ipnet:, country:IT;},CLAM_VIRUS_FAIL(0.00){failed to scan
and retransmits
20811(-0.21), country: IT(-0.00), ip:;},MIME_TRACE(0.00){0:+;1:+;2:+;3:~;4:~;5:~;6:~;7:~;...;},MSOFFICE_EXTENSION(0.00){xls;xlsx;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},R_DKIM_NA(0.00){},R_SPF_NA(0.00){no
SPF record;},TO_DN_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len:
5493537, time: 15186.710ms, dns req: 25, digest:
<5a69155ddf87a0a234ebb90d4ecfb989>, rcpts: <abcde at customer.eu>,
mime_rcpts: <abcde at customer.eu>, forced: soft reject "Antivirus
temporarily not available."; score=nan (set by force_actions)

any help to debug this would be very appreciated.


More information about the Users mailing list