[Rspamd-Users] Antivirus problem

Thomas Plant thomas at plant.systems
Wed Apr 22 09:25:21 UTC 2020 

Am 22.04.2020 um 10:37 schrieb Thomas Plant via Users:
> Hello all,
>
> I'm facing a problem with our Clamav/Rspamd. I configured the antivirus
> module to set a symbol if an OLE2 Macro is detected by the clamav engine.
> Work's fine so far, but I have seen that when it detects a macro it also
> sets the CLAM_VIRUS_FAIL symbol, which I have configured in a
> force_action rule to temporarily reject the mail if there is a problem
> with the antivirus. So mails are rejected every time it finds a ole2
> macro. Do not know how long this is going on....
> No errors in the clamav log.
>
> Here my antivurus.conf:
> clamav {
>   scan_mime_parts = true;
>   scan_text_mime = true;
>   scan_image_mime = true;
>   #action = "reject";
>   score = 18;
>   symbol = "CLAM_VIRUS";
>   type = "clamav";
>   log_clean = true;
>   servers = "/var/run/clamd.scan/clamd.sock";
>   #servers = "10.10.100.28:3310";
>   whitelist = "/etc/rspamd/maps/antivirus.wl";
>   max_size = 20000000;
>
>   patterns {
>     CLAM_OLE2MACRO = '^Heuristics\.OLE2\.ContainsMacros$';
>   }
> }
>
>
> and the force_action rule:
>
>     CLAMAV_FEHLER {
>         # Soft Reject when Clamav is not working.
>         action = "soft reject";
>         expression = "CLAM_VIRUS_FAIL";
>         message = "Antivirus temporarily not available.";
>     }
>
> and here a log entry from Rpamd:
>
> 2020-04-22 10:27:34 #18013(main) <xxxz3e>; lua; force_actions.lua:167:
> Registered symbol FORCE_ACTION_CLAMAV_FEHLER <CLAM_VIRUS_FAIL> with
> dependencies [CLAM_VIRUS_FAIL]
> 2020-04-22 10:28:21 #26096(rspamd_proxy) <dce58b>; proxy;
> rspamd_task_write_log: id:
> <2C60CE16539B5F49A17C6E98767C06A40153F6C8228A at MASTER.projektservice.local>,
> qid: <496YTg2sl7z4wLm>, ip: 217.199.7.120, from: <11 at sender.com>,
> (default: F (soft reject): [8.20/15.00]
> [CLAM_OLE2MACRO(7.00){Heuristics.OLE2.ContainsMacros;},HFILTER_HELO_IP_A(1.00){remote.hoeller-klotzner.com;},MX_GOOD(-0.50){cached:
> relay2.bkom.it;},SUBJECT_ENDS_SPACES(0.50){},HFILTER_HELO_NORES_A_OR_MX(0.30){remote.hoeller-klotzner.com;},MIME_GOOD(-0.10){multipart/mixed;multipart/alternative;text/plain;},ARC_NA(0.00){},ASN(0.00){asn:20811,
> ipnet:217.199.0.0/19, country:IT;},CLAM_VIRUS_FAIL(0.00){failed to scan
> and retransmits
> exceed;},DMARC_NA(0.00){hoeller-klotzner.com;},FORCE_ACTION_CLAMAV_FEHLER(0.00){soft
> reject;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},GENERIC_REPUTATION(0.00){-0.72763996231947;},HAS_ATTACHMENT(0.00){},IP_REPUTATION_HAM(0.00){asn:
> 20811(-0.21), country: IT(-0.00), ip:
> 217.199.7.120(-0.73);},MIME_TRACE(0.00){0:+;1:+;2:+;3:~;4:~;5:~;6:~;7:~;...;},MSOFFICE_EXTENSION(0.00){xls;xlsx;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},R_DKIM_NA(0.00){},R_SPF_NA(0.00){no
> SPF record;},TO_DN_ALL(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len:
> 5493537, time: 15186.710ms, dns req: 25, digest:
> <5a69155ddf87a0a234ebb90d4ecfb989>, rcpts: <abcde at customer.eu>,
> mime_rcpts: <abcde at customer.eu>, forced: soft reject "Antivirus
> temporarily not available."; score=nan (set by force_actions)
>
>
>
> any help to debug this would be very appreciated.
>
> Thanks,
> Thomas

Here are missing lines from the rspamd log, it is from the same message
above, but from a retry later on:

2020-04-22 11:15:32 #31706(rspamd_proxy) <ef4d8f>; lua; clamav.lua:132:
clamav: message or mime_part is clean
2020-04-22 11:15:32 #31706(rspamd_proxy) <ef4d8f>; lua; clamav.lua:132:
clamav: message or mime_part is clean
2020-04-22 11:15:32 #31706(rspamd_proxy) <ef4d8f>; lua; clamav.lua:144:
clamav: ClamAV Found an OLE2 Office Macro
2020-04-22 11:15:32 #31706(rspamd_proxy) <ef4d8f>; lua; common.lua:107:
clamav: result - Scan has returned that input contains macros:
"Heuristics.OLE2.ContainsMacros - score: 1"
2020-04-22 11:15:35 #31706(rspamd_proxy) <ef4d8f>; proxy;
rspamd_symcache_finalize_item: slow rule: DCC_CHECK(233): 3107.59 ms;
enable slow timer delay
2020-04-22 11:15:47 #31706(rspamd_proxy) <ef4d8f>; lua; clamav.lua:119:
clamav: failed to scan, maximum retransmits exceed
2020-04-22 11:15:47 #31706(rspamd_proxy) <ef4d8f>; lua; common.lua:107:
clamav: result - FAILED with error: "failed to scan and retransmits
exceed - score: 0"
2020-04-22 11:15:47 #31706(rspamd_proxy) <ef4d8f>; lua; clamav.lua:119:
clamav: failed to scan, maximum retransmits exceed
2020-04-22 11:15:47 #31706(rspamd_proxy) <ef4d8f>; lua; common.lua:107:
clamav: result - FAILED with error: "failed to scan and retransmits
exceed - score: 0"
2020-04-22 11:15:47 #31706(rspamd_proxy) <ef4d8f>; proxy;
rspamd_symcache_finalize_item: slow rule: CLAM_VIRUS(229): 15053.12 ms;
enable slow timer delay
2020-04-22 11:16:32 #31706(rspamd_proxy) <ef4d8f>; lua;
oletools.lua:126: oletools: failed to scan, maximum retransmits exceed -
err: IO timeout
2020-04-22 11:16:32 #31706(rspamd_proxy) <ef4d8f>; lua; common.lua:107:
oletools: result - FAILED with error: "failed to scan, maximum
retransmits exceed - err: IO timeout - score: 0"
2020-04-22 11:16:32 #31706(rspamd_proxy) <ef4d8f>; proxy;
rspamd_symcache_finalize_item: slow rule: OLETOOLS(236): 45006.98 ms;
enable slow timer delay
2020-04-22 11:16:32 #31706(rspamd_proxy) <ef4d8f>; lua;
greylist.lua:416: greylisted until "Wed, 22 Apr 2020 09:21:32 GMT", new
record

More information about the Users mailing list