Clamd

[eistek]

I am new to proxmox mail gateway.
I have just installed proxmox from iso to virtual machine. Everything is look ok.

When i send EICAR test files to my email address. attached files passing from gateway.

/var/log/clamav/clamav.log file is empty

ps aux shows clamd is working .
root@pmx:~# ps aux |grep clamd
clamav 920 0.1 35.5 1790488 1433784 ? Ssl Dec23 0:40 /usr/sbin/clamd.
Promox filters are as default

there are nothing in mail.log about clam
root@pmx:~# cat /var/log/mail.log |grep clam
root@pmx:~#

What i need to check ? DO i need enable something?

 

[dietmar]

Please us the tracking center to see what happened to that mail.

 

[eistek]

This is what i see from tracking center. There nothing about clam


Dec 23 23:19:02 pmx postfix/smtpd[8847]: connect from batch.outbound.your-site.com[205.233.73.32]
Dec 23 23:19:03 pmx postfix/smtpd[8847]: D52F3341E4D: client=batch.outbound.your-site.com[205.233.73.32]
Dec 23 23:19:04 pmx postfix/cleanup[8852]: D52F3341E4D: message-id=<202012232018.0BNKItSi157415@9cdd9cea763b.web.vm.your-site.com>
Dec 23 23:19:04 pmx postfix/qmgr[5868]: D52F3341E4D: from=<eicar@aleph-tec.com>, size=2704, nrcpt=1 (queue active)
Dec 23 23:19:04 pmx postfix/smtpd[8847]: disconnect from batch.outbound.your-site.com[205.233.73.32] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Dec 23 23:19:04 pmx pmg-smtp-filter[7242]: 341EE85FE3A63810F97: new mail message-id=<202012232018.0BNKItSi157415@9cdd9cea763b.web.vm.your-site.com>#012
Dec 23 23:19:09 pmx pmg-smtp-filter[7242]: 341EE85FE3A63810F97: SA score=0/5 time=5.781 bayes=undefined autolearn=ham autolearn_force=no hits=AWL(0.222),KAM_DMARC_STATUS(0.01),RCVD_IN_DNSWL_BLOCKED(0.001),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),URIBL_BLOCKED(0.001)
Dec 23 23:19:09 pmx pmg-smtp-filter[7242]: 341EE85FE3A63810F97: adding disclaimer failed (rule: Balkan_Disclaimer)
Dec 23 23:19:09 pmx postfix/smtpd[8883]: connect from localhost.localdomain[127.0.0.1]
Dec 23 23:19:09 pmx postfix/smtpd[8883]: E8D43341EEA: client=localhost.localdomain[127.0.0.1], orig_client=batch.outbound.your-site.com[205.233.73.32]
Dec 23 23:19:09 pmx postfix/cleanup[8852]: E8D43341EEA: message-id=<202012232018.0BNKItSi157415@9cdd9cea763b.web.vm.your-site.com>
Dec 23 23:19:09 pmx postfix/qmgr[5868]: E8D43341EEA: from=<eicar@aleph-tec.com>, size=3616, nrcpt=1 (queue active)
Dec 23 23:19:09 pmx postfix/smtpd[8883]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Dec 23 23:19:09 pmx pmg-smtp-filter[7242]: 341EE85FE3A63810F97: accept mail to <test@blabla.com.tr> (E8D43341EEA) (rule: default-accept)
Dec 23 23:19:09 pmx pmg-smtp-filter[7242]: 341EE85FE3A63810F97: processing time: 5.898 seconds (5.781, 0.053, 0)
Dec 23 23:19:09 pmx postfix/lmtp[8853]: D52F3341E4D: to=<test@blabla.com.tr>, relay=127.0.0.1[127.0.0.1]:10024, delay=6.7, delays=0.8/0/0.01/5.9, dsn=2.5.0, status=sent (250 2.5.0 OK (341EE85FE3A63810F97))
Dec 23 23:19:09 pmx postfix/qmgr[5868]: D52F3341E4D: removed
Dec 23 23:19:10 pmx postfix/smtp[8884]: E8D43341EEA: to=<test@blabla.com.tr>, relay=188.132.217.107[188.132.217.107]:25, delay=0.12, delays=0.01/0/0/0.1, dsn=2.0.0, status=sent (250 Requested mail action okay, completed)
Dec 23 23:19:10 pmx postfix/qmgr[5868]: E8D43341EEA: removed

 

[dietmar]

What kind of EICAR mail is that? Does it contain:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Or is it Some kind of splittet/multipart Eicar?

 

[eistek]

What kind of EICAR mail is that? Does it contain:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Or is it Some kind of splittet/multipart Eicar?

I am sending from here.
http://www.aleph-tec.com/eicar/

it is sending following files in seperate emails. Mails passing from my gateway. Kaspesrsky is deleting all on my client side
icar.com
eicar.com.txt
eicar_com.zip
eicarcom2.zip (double zip compressed eicar.com)
eicarpasswd.zip (new! - zip compressed eicar.com with password)
eicarpasswdocr.zip (new! - zip compressed eicar.com with password in image file)

 

[eistek]

And also clamd is using 1.5 GB of ram its %35 of my total installed ram.

 

[eistek]

I have also used followig web page to send infected test emails

https://docs.libraesva.com/email-security-tester/

It is sending 15 separate infected email. 14 passed from my gateway
and 1 of them is quarantined by gateway

root@pmx:~# cat /var/log/mail.log |grep clam
Dec 24 12:01:52 pmx pmg-smtp-filter[10666]: 341F075FE45900020E3: virus detected: Eicar-Signature (clamav)
root@pmx:~#


Kaspersky found all at client side