Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

Howto: Allow logwatch reports through clamav?

 

 

ClamAV users RSS feed   Index | Next | Previous | View Threaded


byrnejb at harte-lyne

Apr 13, 2012, 1:30 PM

Post #1 of 4 (536 views)
Permalink
Howto: Allow logwatch reports through clamav?

I have several MX servers running ClamAV in conjunction
with MailScanner and Sendmail or Amavisd-new and Postfix.

These machines forward logwatch reports to a central email
address on a daily basis. The delivery hub also has clamd
running.

What is happening on the hub is that certain reports are
being categorized as phishing messages by clamd and thus
the report never arrives. I have looked at the
MailScanner rules and removed the report delivery address
from virus_scanning. However, all that managed to do was
to move the clamd virus report from the maillog to the
messages file. The report email is still identified as a
phishing suspect inside /var/spool/MailScanner/incoming.

Is there a way to avoid this for either one delivery
address or one senders address? I have no desire to
change things on a system-wide basis. Is clamd actually
scanning the same files twice, once when passed by
MailScanner and then again simply because the file is on
disk?

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB [at] Harte-Lyne
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


ged at jubileegroup

Apr 15, 2012, 8:08 AM

Post #2 of 4 (504 views)
Permalink
Re: Howto: Allow logwatch reports through clamav? [In reply to]

Hi there,

On Sat, 14 Apr 2012, James B. Byrnewrote:

> I have several MX servers running ClamAV in conjunction
> with MailScanner and Sendmail or Amavisd-new and Postfix.
>
> These machines forward logwatch reports to a central email
> address on a daily basis. The delivery hub also has clamd
> running.
>
> ... certain reports are being categorized as phishing messages by
> clamd and thus the report never arrives.

Could you disable the phishing checks on the hub?

> I have looked at the
> MailScanner rules and removed the report delivery address
> from virus_scanning.

It sounds reasonable, although I'd have said that in principle it
would be better to whitelist a sender address, one which you only use
internally and so will probably never be forged. That way you can
change where you send the reports without changing your mail server's
other configuration. However I've never used MailScanner and I can't
claim to know.

> Is there a way to avoid this for either one delivery
> address or one senders address?

To do this you need to work on the mail server configuration, not on
clamd's configuration.

> I have no desire to change things on a system-wide basis. Is clamd
> actually scanning the same files twice

Well it does sound like you're scanning both on the mail exchangers
and on the mail hub, which seems like a waste, but I don't think
that's your question.

> ... once when passed by MailScanner and then again simply because
> the file is on disk?

No, clamd only scans what it's told to scan by other software. By
itself it does absolutely nothing except consume resources, by loading
a database and sitting around as a process waiting for connections.

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


byrnejb at harte-lyne

Apr 15, 2012, 10:11 AM

Post #3 of 4 (506 views)
Permalink
Re: Howto: Allow logwatch reports through clamav? [In reply to]

On Sun, April 15, 2012 11:08, G.W. Haywood wrote:
> Hi there,
>
> On Sat, 14 Apr 2012, James B. Byrne wrote:
>
>> I have several MX servers running ClamAV in conjunction
>> with MailScanner and Sendmail or Amavisd-new and
>> Postfix.
>>
>> These machines forward logwatch reports to a central
>> email address on a daily basis. The delivery hub
>> also has clamd running.
>>
>> ... certain reports are being categorized as phishing
>> messages by clamd and thus the report never arrives.
>
> Could you disable the phishing checks on the hub?

That is what I ended up having to do, but only for the URL
checks. PhishingScanURLs no. The problem appears to be
that the logwatch report module for mailscanner sends the
actual phishing urls trapped at the gateway as part of the
report, with the results witnessed at the hub.

>
>> I have looked at the MailScanner rules and removed the
>> report delivery address from virus_scanning.
>
> It sounds reasonable, although I'd have said that in
> principle it would be better to whitelist a sender
> address, one which you only use internally and so will
> probably never be forged. That way you can
> change where you send the reports without changing your
> mail server's other configuration. However I've never
> used MailScanner and I can't claim to know.

The originating address was already whitelisted. In the
event exempting the delivery address also had little
effect.

>
>> Is there a way to avoid this for either one delivery
>> address or one senders address?
>
> To do this you need to work on the mail server
> configuration, not on clamd's configuration.

As it turns out, when I successfully removed the delivery
address from mailscanner's attention clamd caught the same
file on disk in any case. The only change was that the
clamd log entry moved from /var/log/maillog to
/var/log/messages.


>
>> I have no desire to change things on a system-wide
>> basis. Is clamd actually scanning the same files twice?
>
> Well it does sound like you're scanning both on the mail
> exchangers and on the mail hub, which seems like a waste,
> but I don't think that's your question.

We have internal mail which does not pass through our
external MX hosts. Some of these are MicroSoft systems
and it is considered best to assume that these are a
potential source of compromise and thus everything needs
to be checked, incoming and outgoing, at the hub.

>
>> ... once when passed by MailScanner and then again
>> simply because the file is on disk?
>
> No, clamd only scans what it's told to scan by other
> software. By itself it does absolutely nothing except
> consume resources, by loading a database and sitting
> around as a process waiting for connections.
>

Well, I cannot seem to find a way to prevent clamd from
scanning those messages so in the end I had to partially
turn off the phishing checks in clamd itself. I cannot
identify any resident filesystem scanner that uses clamd
but I find it odd that the clamd messages moved from
maillog to messages after I stopped scanning email to the
delivery address.


--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB [at] Harte-Lyne
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


ged at jubileegroup

Apr 16, 2012, 3:37 AM

Post #4 of 4 (512 views)
Permalink
Re: Howto: Allow logwatch reports through clamav? [In reply to]

Hello again,

On Mon, 16 Apr 2012, James B. Byrne wrote:

> ... I cannot identify any resident filesystem scanner that uses clamd ...

It might not be using clamd directly. There are utilities supplied
with ClamAV, one which uses clamd and one which doesn't.

'clamscan' will load the virus database(s) and scan what you tell it
to scan. Command line options affect the behaviour of the scanning
engine but because clamscan uses the ClamAV libraries, not the clamd
daemon (which uses the same libraries), clamd.conf doesn't affect it.
Loading the database takes a while so you wouldn't want, for example,
to call clamscan repeatedly in a shell script.

'clamdscan' will use clamd, which has already loaded the database(s),
to scan what you tell it to scan. The clamd daemon does what it has
been configured to do by clamd.conf and command line options have no
effect on that. Because clamd has already loaded the database, it is
much faster for example to scan the odd file from the command line,
although if you gave a command line which told it to scan the entire
disc the time to load the database would probably be less important.
A shell script which makes many calls to the scanner should probably
call clamdscan.

It's possible that you have a cron job which is set up to call one of
these scanning utilities.

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.