[Rspamd-Users] Trouble with Antivirus in RspamD

christian usenet at schani.com
Mon Jul 1 08:57:10 UTC 2024 

Good morning, it's me again ;-)

At the weekend I noticed that there was something wrong with my ClamAV 
connection. I don't know if it has anything to do with the Debian update 
from 12.5 to 12.6 and whether it's related in time.

The following:
I can no longer connect from RspamD to the ClamAV socket. There was an 
update of ClamAV from 1.0.4 to 1.0.5 from Debian.

I checked whether the Clamav-deamon socket is active:

lsof /run/clamav/clamd.ctl
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 46u unix 0x000000009dedbc6e 0t0 19184743 
/run/clamav/clamd.ctl type=STREAM (LISTEN)
clamd 1057788 clamav 3u unix 0x000000009dedbc6e 0t0 19184743 
/run/clamav/clamd.ctl type=STREAM (LISTEN)

So it looks like it's working.
What surprises me is that "sockstat | grep clam" doesn't find a socket.
"netstat -tlpn | grep clam" doesn't work either.


/etc/rspamd/local.d/antivirus.conf
clamav {
	symbol = "CLAM_VIRUS";
	type = "clamav";
	action = "rewrite subject";
	message = "VIRUS: '${VIRUS}'";
	subject = "*** VIRUS '${VIRUS}' *** ";
	#servers = "127.0.0.1:3310";
	#servers = "127.0.0.1";
	servers = "/run/clamav/clamd.ctl";
	max_size = 10000000;
	scan_mime_parts = true;
	scan_text_mime = true;
	scan_image_mime = true;
	log_clean = true;
	timeout = 30;
	retransmits = 2;

	patterns {
		JUST_EICAR = "^Eicar-Test-Signature$";
		CLAMAV_HEUR_ENCRYPTED = "^(.*Heuristics\.Encrypted\..*|File is 
encrypted)";
and many more ....
	}
}

After restarting rspamd and clamav-deamon, nothing is displayed in the 
rspamd and clamav log files.

It looks like Rspamd is not forwarding any emails to the socket. So 
"tail -f /var/log/rspamd/rspamd.log | grep clam" doesn't output anything 
(debug is on). Normally rspamd should pass all emails to the ClamAV, 
even the ham ones, right?

But there is no entry in the clamav.log file either.

I tried Eicar, also with GTUBE, but nothing.
A notice should appear in the email client when sending an Eicar email.
Also no symbol (CLAM_**) is added to the emails.

rspamadm configtest
syntax OK

What could be the reason for this? Many thanks for any tips.
Christian

More information about the Users mailing list