[Rspamd-Users] Trouble with Antivirus in RspamD

G.W. Haywood rspamd at jubileegroup.co.uk
Wed Jul 3 22:33:06 UTC 2024


Hi there,

On Wed, 3 Jul 2024, christian via Users wrote:

> i discovered the error. When Debian was updated, clamav was also upgraded. 
> The socket rights were not set correctly. ...

Glad you got it fixed.

> ... there is only one note ***VIRUS*** in the rewrite subject for
> all the different viruses.
> ...
> It would be good if I could also display this in the subject:
> *** PHISHING ***
> *** BAD ATTACHMENT ***
> *** BAD SCRIPT ***
> *** SPOOFING ***
> How do you solve this?

I don't rewrite subjects, but maybe these will help:

https://rspamd.com/doc/modules/force_actions.html
https://github.com/rspamd/rspamd/discussions/4579

> What surprises me is that now that ClamAV is running again, 15,000 emails 
> have been received, but only one email was recognized by ClamAV as a virus.
> ...
> Of the 15,000 incomming Mails 5,000 were recognized as "add header" and 
> "rewrite subject". Shouldn't more of these be recognized by ClamAV?

Perhaps.  My recent post about ClamAV's detection performance:

https://lists.rspamd.com/pipermail/users/2024-March/003184.html

As you know ClamAV signatures are available from a number of third
parties.  The post above is my experience of ClamAV's performance
scanning known viruses by means of Jotti's Malware Scan.  The Jotti
site uses ClamAV I believe as supplied by Cisco/Talos/Sourcefire with
no third party signatures, and AFAICT with this configuration ClamAV's
detection performance is worse than anything else available.  I can
recommend the Sanesecurity signatures, but I don't have measurements
of the virus detection performance to hand (I don't use Sanesecurity
signatures for virus scanning - I use my own milter, and Yara rules).

> This one virus email also has an attachment, which makes me suspect that only 
> emails with attachments are scanned by the virus scanner. Do I need to 
> somehow activate the scanning of emails without attachments?

There's more than one configuration involved, but the rspamd
documentation says that its default is to scan entire messages:

https://rspamd.com/doc/modules/antivirus.html

I suppose you'll need to check your configuration to be sure.

If you run clamd and pass entire messages to it via its socket, then
it will scan as configured by a configuration file which is possibly
'clamd.conf' on your system.  You can probably see the configuration
options available to you by running 'man clamd.conf' or checking the
ClamAV documentation.  You really should be doing that anyway as it's
possible to DOS yourself if you use badly chosen configuration values.
Most of the clamd configuration is nuts and bolts stuff, things like
limits on data sizes to prevent a scan from overloading the system,
and will have no effect on which parts of an email are scanned unless
the message is very large or for example contains a malicious archive
file and so manages to hit one of the resource limits.  Be clear that
the configuration of resource limits etc. really needs to be set up
for your specific system, especially if it's working hard.  You might
find that your scanner isn't doing what you think it should be doing,
or indeed it might be doing nothing useful at all.  Probably best to
set verbose logging and scour the logs for a while; get to know it.

-- 

73,
Ged.


More information about the Users mailing list