[SOLVED] ClamAV not working

brywhi

New Member
Nov 17, 2020
15
1
3
35
Hi everyone-
New proxmox user here. I'm liking it a lot so far. :)

It seems that clamav is not scanning email attachments for me. When I use eicar at http://www.aleph-tec.com/eicar/index.php to send a message to myself, it gets through proxmox without issue. How can I troubleshoot this?

Here is syslog of the eicar email. I don't see any mention of Clam.
Code:
Nov 16 18:25:30 mail01 postfix/postscreen[6836]: CONNECT from [205.233.73.32]:56620 to [{My IP}]:25
Nov 16 18:25:32 mail01 postfix/anvil[6402]: statistics: max connection rate 1/60s for (smtpd:8.12.53.104) at Nov 16 18:19:33
Nov 16 18:25:32 mail01 postfix/anvil[6402]: statistics: max connection count 1 for (smtpd:8.12.53.104) at Nov 16 18:19:33
Nov 16 18:25:32 mail01 postfix/anvil[6402]: statistics: max cache size 3 at Nov 16 18:20:04
Nov 16 18:25:36 mail01 postfix/postscreen[6836]: PASS NEW [205.233.73.32]:56620
Nov 16 18:25:36 mail01 postfix/smtpd[6847]: connect from batch.outbound.your-site.com[205.233.73.32]
Nov 16 18:25:36 mail01 postfix/smtpd[6847]: Anonymous TLS connection established from batch.outbound.your-site.com[205.233.73.32]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Nov 16 18:25:36 mail01 pmgpolicy[5092]: SPF says pass
Nov 16 18:25:36 mail01 postfix/smtpd[6847]: 82302C1079: client=batch.outbound.your-site.com[205.233.73.32]
Nov 16 18:25:36 mail01 postfix/cleanup[6853]: 82302C1079: message-id=<202011170125.0AH1P0Cd3126297@29c639b58d65.web.vm.your-site.com>
Nov 16 18:25:36 mail01 postfix/qmgr[20643]: 82302C1079: from=<eicar@aleph-tec.com>, size=2616, nrcpt=1 (queue active)
Nov 16 18:25:36 mail01 postfix/smtpd[6847]: disconnect from batch.outbound.your-site.com[205.233.73.32] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 16 18:25:36 mail01 pmg-smtp-filter[6040]: 2020/11/16-18:25:36 CONNECT TCP Peer: "[127.0.0.1]:40642" Local: "[127.0.0.1]:10024"
Nov 16 18:25:36 mail01 pmg-smtp-filter[6040]: C127D5FB326908A97B: new mail message-id=<202011170125.0AH1P0Cd3126297@29c639b58d65.web.vm.your-site.com>
Nov 16 18:25:39 mail01 pmg-smtp-filter[6040]: C127D5FB326908A97B: SA score=0/5 time=2.514 bayes=undefined autolearn=ham autolearn_force=no hits=AWL(0.032),KAM_DMARC_STATUS(0.01),RCVD_IN_DNSWL_LOW(-0.7),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001)
Nov 16 18:25:39 mail01 postfix/smtpd[6860]: connect from localhost.localdomain[127.0.0.1]
Nov 16 18:25:39 mail01 postfix/smtpd[6860]: 1DE56C1291: client=localhost.localdomain[127.0.0.1], orig_client=batch.outbound.your-site.com[205.233.73.32]
Nov 16 18:25:39 mail01 postfix/cleanup[6853]: 1DE56C1291: message-id=<202011170125.0AH1P0Cd3126297@29c639b58d65.web.vm.your-site.com>
Nov 16 18:25:39 mail01 postfix/qmgr[20643]: 1DE56C1291: from=<eicar@aleph-tec.com>, size=3236, nrcpt=1 (queue active)
Nov 16 18:25:39 mail01 pmg-smtp-filter[6040]: C127D5FB326908A97B: accept mail to <bryan@milestonefe.com> (1DE56C1291) (rule: default-accept)
Nov 16 18:25:39 mail01 postfix/smtpd[6860]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Nov 16 18:25:39 mail01 pmg-smtp-filter[6040]: C127D5FB326908A97B: processing time: 2.557 seconds (2.514, 0.022, 0)
Nov 16 18:25:39 mail01 postfix/lmtp[6854]: 82302C1079: to=<bryan@milestonefe.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.7, delays=0.17/0.01/0/2.6, dsn=2.5.0, status=sent (250 2.5.0 OK (C127D5FB326908A97B))
Nov 16 18:25:39 mail01 postfix/qmgr[20643]: 82302C1079: removed
Nov 16 18:25:39 mail01 postfix/smtp[6861]: Trusted TLS connection established to milestonefe-com.mail.protection.outlook.com[104.47.58.110]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 16 18:25:40 mail01 postfix/smtp[6861]: 1DE56C1291: to=<bryan@milestonefe.com>, relay=milestonefe-com.mail.protection.outlook.com[104.47.58.110]:25, delay=1.8, delays=0/0.01/0.75/0.99, dsn=2.6.0, status=sent (250 2.6.0 <202011170125.0AH1P0Cd3126297@29c639b58d65.web.vm.your-site.com> [InternalId=39324720568099, Hostname=MWHPR20MB1278.namprd20.prod.outlook.com] 11671 bytes in 0.235, 48.338 KB/sec Queued mail for delivery)
Nov 16 18:25:40 mail01 postfix/qmgr[20643]: 1DE56C1291: removed
Nov 16 18:25:45 mail01 pmgpolicy[20415]: starting policy database maintainance (greylist, rbl)
Nov 16 18:25:45 mail01 pmgpolicy[20415]: end policy database maintainance (8 ms, 1 ms)

Virus detector settings:
1605576763907.png
1605576774793.png
1605576782598.png

Thanks for your help!
 
Did you disable the default virus check in the rule system or change it somehow?
 
Of note, when I try to use clamdscan to scan an abitrary text file, I get an lstat() failed permission denied error:

Code:
root@mail01:~# clamdscan test.txt
/root/test.txt: lstat() failed: Permission denied. ERROR

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)
root@mail01:~#

This is a new install from the iso image with the following modifications:
-Installed nginx to redirect the quarantine for users to access it at port 443
-Installed fail2ban
 
* Does the clamdscan work if you put the file in /tmp?
* anything in dmesg / journal - why clamdscan fails?
(check if apparmor got installed somehow)
 
Clamdscan does work in /tmp:
Code:
root@mail01:/tmp# clamdscan test.txt
/tmp/test.txt: OK

----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.003 sec (0 m 0 s)

I don't see anything in dmesg with "dmesg | grep clam", any other strings you think I should search for?

with journalctl -t clamd, the only failures I see are the lstat() permission denied errors from my tests.

I don't think apparmor is running, as aa-status, etc are not found. Likewise, there is no service apparmor to stop with systemctl.
 
Clamdscan does work in /tmp:
ok - then clamav works - the error of it not being able to scan a file in /root is expected (clamav-daemon is not running as root, and only root has access in /root)

sending eicar.txt locally here - works and clamav catches it:
Code:
Nov 19 17:35:41 pmg6 pmg-smtp-filter[7135]: 2020/11/19-17:35:41 CONNECT TCP Peer: "[127.0.0.1]:37622" Local: "[127.0.0.1]:10024"
Nov 19 17:35:41 pmg6 pmg-smtp-filter[7135]: 611F05FB69EDD054DE: new mail message-id=<20201119163540.GA5709@pmgsender.rosa.proxmox.com>
Nov 19 17:35:41 pmg6 clamd[988]: /var/spool/pmg/active/611F05FB69EDD054DE: Eicar-Signature FOUND
Nov 19 17:35:41 pmg6 clamd[988]: /var/spool/pmg/active/611F05FB69EDD054DE: Eicar-Signature FOUND
Nov 19 17:35:41 pmg6 pmg-smtp-filter[7135]: 611F05FB69EDD054DE: virus detected: Eicar-Signature (clamav)
Nov 19 17:35:41 pmg6 pmg-smtp-filter[7135]: 611F05FB69EDD054DE: SA score=0/5 time=0.334 bayes=undefined autolearn=disabled hits=ALL_TRUSTED(-1),KAM_DMARC_STATUS(0.01),TVD_SPACE_RATIO(0.001)
Nov 19 17:35:41 pmg6 pmg-smtp-filter[7135]: 611F05FB69EDD054DE: moved mail for <xxx@xxx> to virus quarantine - 639045FB69EDD59B84 (rule: quarall)

did you get the logs from the system's journal/syslog - or from mail.log (clamav does not log to mail.log)
 
Hi Stoiko-
I do have the logs- which portion(s) should I share? I do not see any errors from Clam.
 
Hi Stoiko,
Thanks for your reply. I just tried the link you sent but it made it through PMG. Here are the lines from syslog:

Code:
Nov 23 11:25:31 mail01 postfix/smtpd[8807]: connect from web.heise.de[193.99.144.71]
Nov 23 11:25:32 mail01 postfix/smtpd[8807]: Anonymous TLS connection established from web.heise.de[193.99.144.71]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256
Nov 23 11:25:33 mail01 pmgpolicy[8521]: SPF says pass
Nov 23 11:25:33 mail01 postfix/smtpd[8807]: 11A9DC129C: client=web.heise.de[193.99.144.71]
Nov 23 11:25:33 mail01 postfix/cleanup[8809]: 11A9DC129C: message-id=<E1khGWh-0001Lx-Ay.octo05@web.heise.de>
Nov 23 11:25:33 mail01 postfix/qmgr[20643]: 11A9DC129C: from=<emailcheck-robot@ct.de>, size=2014, nrcpt=1 (queue active)
Nov 23 11:25:33 mail01 pmg-smtp-filter[8803]: 2020/11/23-11:25:33 CONNECT TCP Peer: "[127.0.0.1]:55470" Local: "[127.0.0.1]:10024"
Nov 23 11:25:33 mail01 pmg-smtp-filter[8803]: C13035FBBFE9D124B7: new mail message-id=<E1khGWh-0001Lx-Ay.octo05@web.heise.de>
Nov 23 11:25:33 mail01 postfix/smtpd[8807]: disconnect from web.heise.de[193.99.144.71] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
Nov 23 11:25:34 mail01 pmg-smtp-filter[8803]: C13035FBBFE9D124B7: SA score=0/5 time=1.205 bayes=undefined autolearn=ham autolearn_force=no hits=JMQ_SPF_NEUTRAL(0.5),KAM_DMARC_STATUS(0.01),RCVD_IN_DNSWL_HI(-5),RCVD_IN_MSPIKE_H3(0.001),RCVD_IN_MSPIKE_WL(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001)
Nov 23 11:25:34 mail01 postfix/smtpd[8795]: connect from localhost.localdomain[127.0.0.1]
Nov 23 11:25:34 mail01 postfix/smtpd[8795]: 4B34AC130F: client=localhost.localdomain[127.0.0.1], orig_client=web.heise.de[193.99.144.71]
Nov 23 11:25:34 mail01 postfix/cleanup[8387]: 4B34AC130F: message-id=<E1khGWh-0001Lx-Ay.octo05@web.heise.de>
Nov 23 11:25:34 mail01 postfix/qmgr[20643]: 4B34AC130F: from=<emailcheck-robot@ct.de>, size=2719, nrcpt=1 (queue active)
Nov 23 11:25:34 mail01 postfix/smtpd[8795]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Nov 23 11:25:34 mail01 pmg-smtp-filter[8803]: C13035FBBFE9D124B7: accept mail to <bryan@milestonefe.com> (4B34AC130F) (rule: default-accept)
Nov 23 11:25:34 mail01 pmg-smtp-filter[8803]: C13035FBBFE9D124B7: processing time: 1.235 seconds (1.205, 0.021, 0)
Nov 23 11:25:34 mail01 postfix/lmtp[8802]: 11A9DC129C: to=<bryan@milestonefe.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.7, delays=0.49/0/0/1.2, dsn=2.5.0, status=sent (250 2.5.0 OK (C13035FBBFE9D124B7))
Nov 23 11:25:34 mail01 postfix/qmgr[20643]: 11A9DC129C: removed
Nov 23 11:25:34 mail01 postfix/smtp[8545]: Trusted TLS connection established to milestonefe-com.mail.protection.outlook.com[104.47.58.110]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Nov 23 11:25:37 mail01 postfix/smtp[8545]: 4B34AC130F: to=<bryan@milestonefe.com>, relay=milestonefe-com.mail.protection.outlook.com[104.47.58.110]:25, delay=2.8, delays=0/0/0.7/2.1, dsn=2.6.0, status=sent (250 2.6.0 <E1khGWh-0001Lx-Ay.octo05@web.heise.de> [InternalId=70171175691609, Hostname=BN6PR2001MB0978.namprd20.prod.outlook.com] 10897 bytes in 0.178, 59.582 KB/sec Queued mail for delivery)
Nov 23 11:25:37 mail01 postfix/qmgr[20643]: 4B34AC130F: removed
 
Is this maybe the first confirmation mail where you need to click to actually get the EICAR virus?
Does the mail you received indeed contain EICAR?
 
Oh, yes it was. Sorry, I don't speak German so I was a bit confused about the process.

It looks like it worked as expected, so this wasn't ever an issue to begin with.

Thank you so much for your help! We will be purchasing a subscription now that this is resolved.
 
  • Like
Reactions: Stoiko Ivanov
Glad that worked :)

If possible please mark threads by you that have a solution as SOLVED (clicking on the 3 dots '...' above your first post->Edit Thread->Select 'SOLVED' as prefix) - for the next time - I already marked this one.

Thanks!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!