[Rspamd-Users] Trouble with Antivirus in RspamD

[christian]

Hello G.W.

i discovered the error. When Debian was updated, clamav was also 
upgraded. The socket rights were not set correctly. Then it stopped working.

What I noticed is that there is only one note ***VIRUS*** in the rewrite 
subject for all the different viruses.

Since I have also subscribed to virus definitions via Fangfrisch, ClamAV 
not only looks for viruses but also for spam, phishing, and much more.

In the pattern I still have various symbols that are not taken into account.

patterns {
		JUST_EICAR = "^Eicar-Test-Signature$";
		CLAMAV_HEUR_ENCRYPTED = "^(.*Heuristics\.Encrypted\..*|File is 
encrypted)";
		CLAMAV_ARCHIVE_BAD_D_EXT = '/^Archive\.Filetype\.(DualExtJS)/i';
		CLAMAV_ARCHIVE_BOMB = '/^Heuristics\.Zip\.OverlappingFiles/i';
		CLAMAV_DOC_EMOTET = '/^Doc\.Downloader\.Emotet/i';
		CLAMAV_DOC_MALWARE = 
'/^Doc\.(Malware|Dropper|Exploit|Trojan|Virus|Downloader|Macro|Ransomware)\./i';
		CLAMAV_EMAIL_PHISHING = '/^Email\.Phishing/i';
		CLAMAV_EMAIL_TROJAN = '/^Email\.Trojan\.Toa-/i';
		CLAMAV_HEUR_OLE2_VBA_MACRO = 
'/^(Heuristics\.OLE2\.ContainsMacros.*|File contains macros)/i';
		CLAMAV_HEUR_BROKEN_EXEC = '/^Heuristics\.Broken\.Executable/i';
		CLAMAV_HEUR_BROKEN_MEDIA = 
'/^Heuristics\.(Broken\.Media|PNG\.CVE-2010-1205)/i';
		CLAMAV_HEUR_PNG_CVE = '/^Heuristics\.PNG/i';
		CLAMAV_HEUR_SPOOF_DN = '/^Heuristics\.Phishing\.Email\.SpoofedDomain/i';
		CLAMAV_HEUR_SPOOF_SSL = '/^Heuristics\.Phishing\.Email\.SSL-Spoof/i';
		CLAMAV_HEUR_STRUCT = '/^Heuristics\.Structured\./i';
		CLAMAV_HTML_EXPLOIT = '/^Html\.Exploit\./i';
		CLAMAV_HTML_PHISH = '/^Html\.Phishing\./i';

and many more ...

It would be good if I could also display this in the subject:
*** PHISHING ***
*** BAD ATTACHMENT ***
*** BAD SCRIPT ***
*** SPOOFING ***
How do you solve this?


What surprises me is that now that ClamAV is running again, 15,000 
emails have been received, but only one email was recognized by ClamAV 
as a virus.

FILENAME_BLACKLISTED(20.00)[html];
CLAM_VIRUS(20.00)[Sanesecurity.Malware.3085.UNOFFICIAL];

Of the 15,000 incomming Mails 5,000 were recognized as "add header" and 
"rewrite subject". Shouldn't more of these be recognized by ClamAV?

This one virus email also has an attachment, which makes me suspect that 
only emails with attachments are scanned by the virus scanner. Do I need 
to somehow activate the scanning of emails without attachments?

Thanks

Christian


Am 01.07.2024 um 12:53 schrieb G.W. Haywood:
> Hi there,
> 
> On Mon, 1 Jul 2024, christian via Users wrote:
> 
>> Good morning, it's me again ;-)
> 
> :)
> 
>> At the weekend I noticed that there was something wrong with my ClamAV 
>> ...
> 
> I can't remember the last time that a clamd daemon crashed here except
> when I was experimenting with Yara rules - so I gave up with ClamAV's
> Yara implementation and since then it's never crashed.
> 
>> ... I don't know if it has anything to do with the Debian update from 
>> 12.5 to 12.6 and whether it's related in time. ...
>> There was an update of ClamAV from 1.0.4 to 1.0.5 from Debian.
> 
> IMHO an update is always a prime suspect.  Especially a Debian update.
> If it just hasn't started properly, maybe you need to tweak something
> in the configuration?  Is there anything in the Debian upgrade notes?
> 
> I don't know what Debian is doing with ClamAV but the latest version
> in Long Term Support (LTS) seems to be 1.0.6:
> 
> https://www.clamav.net/downloads
> 
> It might be worth checking that the version you're using is getting
> the updates it needs for signatures.  I think the ClamAV team intended
> at some time to prevent older versions from getting updates as a way
> of encouraging people to upgrade.  It would be a bit pushy to block
> updates for a release only one point older, but stranger things have
> happened.
> 
>> [...]
>> I checked whether the Clamav-deamon socket is active:
>>
>> lsof /run/clamav/clamd.ctl
>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
>> systemd 1 root 46u unix 0x000000009dedbc6e 0t0 19184743 
>> /run/clamav/clamd.ctl type=STREAM (LISTEN)
>> clamd 1057788 clamav 3u unix 0x000000009dedbc6e 0t0 19184743 
>> /run/clamav/clamd.ctl type=STREAM (LISTEN)
>>
>> So it looks like it's working.
> 
> If you say so.  I've no idea what systemd is doing with the socket,
> but it does like to get its fingers into every possible pie. :(  I'd
> suggest that you look into that at your leisure, but, for now, try to
> connect to clamd manually.  It's useful to be able to do that for a
> quick test any time.  Our clamd server is on the LAN, so below is an
> example using telnet.  Using a shell on my local mail server I connect
> to the remote clamd and send the 'PING' command.  The reply (if any)
> will be 'PONG', and the clamd server should then close the connection.
> If you don't get a connection, or you don't get a PONG, then the
> problem is probably with clamd.  If you do get the expected response
> the problem is very likely elsewhere.
> 
> 8<----------------------------------------------------------------------
> $ telnet 192.0.2.1 3310
> Trying 192.0.2.1...
> Connected to 192.0.2.1.
> Escape character is '^]'.
> PING
> PONG
> Connection closed by foreign host.
> $ 8<----------------------------------------------------------------------
> 
> Note that I've edited the IP address and port for this example.  We
> don't actually use those values here.
> 
> Since you're using a local Unix socket you'll need to do something
> slightly different to make the connection, for example Netcat:
> 
> 8<----------------------------------------------------------------------
> $ nc -U /run/clamav/clamd.ctl
> PING
> PONG
> $
> 8<----------------------------------------------------------------------
> 
> Full disclosure:-  The above is what I'd expect.  I haven't actually
> tested it on a server because ours isn't listening on a Unix socket. :/
> If all else fails you could reconfigure clamd for a network connection
> to test it, but that really shouldn't be necessary.
> 
>> What surprises me is that "sockstat | grep clam" doesn't find a socket.
> 
> You should definitely see something.  Here's our clamd server:
> 
> 8<----------------------------------------------------------------------
> # sockstat | grep clam | tr -s " "
> clamav clamd 19954 tcp4 192.0.2.1:3310 *:* LISTEN
> # 8<----------------------------------------------------------------------
> 
> Again I've edited the IP/port.  Not that it really matters, as they're
> all RFC1918 private IPs.
> 
>> It looks like Rspamd is not forwarding any emails to the socket. So 
>> "tail -f /var/log/rspamd/rspamd.log | grep clam" doesn't output 
>> anything (debug is on). Normally rspamd should pass all emails to the 
>> ClamAV, even the ham ones, right?
> 
> This is beside the point at the moment but I like to scan mail which
> is considered ham, because you never know when some normally trusted
> supplier or customer will suddenly start sending malware.  It doesn't
> happen often here but it does occasionally happen.
>