Emails are not being scanned by the ClamAV antivirus.

cahbe

New Member
Sep 15, 2023
8
0
1
Hello guys. I have an issue, and I couldn't find a solution on the forum. ClamAV is not scanning emails, and there is no ClamAV check in the Tracking Center logs. I sent test emails to myself to check the antivirus, but PMG doesn't scan them and lets them pass - https://www.aleph-tec.com/eicar/index.php:
Code:
2023-10-10T15:32:16.398622+03:00 pmg postfix/smtpd[984418]: connect from batch.outbound.your-site.com[205.233.73.32]
2023-10-10T15:32:18.039123+03:00 pmg postfix/smtpd[984418]: 097AD123029: client=batch.outbound.your-site.com[205.233.73.32]
2023-10-10T15:32:18.193684+03:00 pmg postfix/cleanup[984444]: 097AD123029: message-id=<202310101231.39ACVbfp224576@1098a9d7e562.web.vm.your-site.com>
2023-10-10T15:32:18.195485+03:00 pmg postfix/qmgr[781]: 097AD123029: from=<eicar@aleph-tec.com>, size=3152, nrcpt=1 (queue active)
2023-10-10T15:32:18.195582+03:00 pmg postfix/smtpd[984418]: disconnect from batch.outbound.your-site.com[205.233.73.32] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2023-10-10T15:32:18.257901+03:00 pmg pmg-smtp-filter[981077]: 12302B652544523DB0F: new mail message-id=<202310101231.39ACVbfp224576@1098a9d7e562.web.vm.your-site.com>#012
2023-10-10T15:32:19.674809+03:00 pmg pmg-smtp-filter[981077]: 12302B652544523DB0F: SA score=0/5 time=1.382 bayes=undefined autolearn=disabled hits=DKIM_INVALID(0.1),DKIM_SIGNED(0.1),DMARC_MISSING(0.1),KAM_DMARC_STATUS(0.01),RCVD_IN_DNSWL_HI(-5),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001)
2023-10-10T15:32:19.694231+03:00 pmg postfix/smtpd[984475]: connect from localhost.localdomain[127.0.0.1]
2023-10-10T15:32:19.695725+03:00 pmg postfix/smtpd[984475]: A9D3512302E: client=localhost.localdomain[127.0.0.1], orig_client=batch.outbound.your-site.com[205.233.73.32]
2023-10-10T15:32:19.740374+03:00 pmg postfix/cleanup[984444]: A9D3512302E: message-id=<202310101231.39ACVbfp224576@1098a9d7e562.web.vm.your-site.com>
2023-10-10T15:32:19.747903+03:00 pmg postfix/qmgr[781]: A9D3512302E: from=<eicar@aleph-tec.com>, size=3913, nrcpt=1 (queue active)
2023-10-10T15:32:19.748101+03:00 pmg postfix/smtpd[984475]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2023-10-10T15:32:19.748537+03:00 pmg pmg-smtp-filter[981077]: 12302B652544523DB0F: accept mail to <aleksandr.polivaniy@metrans.com.ua> (A9D3512302E) (rule: default-accept)
2023-10-10T15:32:19.750944+03:00 pmg pmg-smtp-filter[981077]: 12302B652544523DB0F: processing time: 1.495 seconds (1.382, 0.031, 0)
2023-10-10T15:32:19.751319+03:00 pmg postfix/lmtp[984446]: 097AD123029: to=<aleksandr.polivaniy@metrans.com.ua>, relay=127.0.0.1[127.0.0.1]:10024, delay=3, delays=1.5/0.01/0.05/1.5, dsn=2.5.0, status=sent (250 2.5.0 OK (12302B652544523DB0F))
2023-10-10T15:32:19.751479+03:00 pmg postfix/qmgr[781]: 097AD123029: removed
2023-10-10T15:32:20.865826+03:00 pmg postfix/smtp[984478]: A9D3512302E: to=<aleksandr.polivaniy@metrans.com.ua>, relay=192.168.31.120[192.168.31.120]:25, delay=1.2, delays=0.05/0.01/0/1.1, dsn=2.0.0, status=sent (250 11452242 message accepted for delivery)
2023-10-10T15:32:20.865929+03:00 pmg postfix/qmgr[781]: A9D3512302E: removed
I haven't changed PMG settings; everything is set to default. In the server console, ClamAV scans folders without errors. The /var/log/clamav/clamav.log is empty in the logs.

1.JPG2.JPG
Package versions:
Code:
()
proxmox-mailgateway: 8.0.1
pmg-api: 8.0.7
pmg-gui: 4.0.2
pve-kernel-6.2: 8.0.5
proxmox-kernel-helper: 8.0.3
proxmox-kernel-6.2.16-15-pve: 6.2.16-15
proxmox-kernel-6.2: 6.2.16-15
pve-kernel-6.2.16-3-pve: 6.2.16-3
clamav-daemon: 1.0.3+dfsg-1~deb12u1
ifupdown2: 3.2.0-1+pmx5
libarchive-perl: 3.6.2
libjs-extjs: 7.0.0-4
libjs-framework7: 4.4.7-2
libproxmox-acme-perl: 1.4.6
libproxmox-acme-plugins: 1.4.6
libpve-apiclient-perl: 3.3.0
libpve-common-perl: 8.0.9
libpve-http-server-perl: 5.0.4
libxdgmime-perl: 1.1.0
lvm2: 2.03.16-2
pmg-docs: 8.0.1
pmg-i18n: 3.0.7
pmg-log-tracker: 2.4.1
proxmox-mini-journalreader: 1.4.0
proxmox-offline-mirror-helper: 0.6.2
proxmox-spamassassin: 4.0.0-4
proxmox-widget-toolkit: 4.0.9
pve-firmware: 3.8-2
pve-xtermjs: 4.16.0-3
zfsutils-linux: 2.1.13-pve1
 
Any chance the logs you're sending are for the initial - test/confirmation mail?
I just tried the aleph-tec site - and only received this mail (which did not contain eicar...) - I would guess that something in the path before PMG already blocks the eicar testfile ...
try downloading the eicar signature (or simply copy it - it's a short text) and send it through PMG - this should work quite reliably
 
The problem is that incoming emails are not being checked by the antivirus. PMG is configured only for receiving mail. The issue is specifically that no emails are being scanned by the antivirus, there are no entries in the antivirus logs, and there are no mentions of ClamAV in the server logs at all
3.JPG4.JPG
 
check the journal to get a complete picture (mail.log never had anything to do with clamav ..., if you want to use syslogs - syslog is the file)
 
Do you mean the file /var/log/syslog?
Code:
2023-10-11T12:13:48.374255+03:00 pmg pmg-smtp-filter[431442]: 1227E36526674C59531: new mail message-id=<202310110913.39B9DGlp333444@1098a9d7e562.web.vm.your-site.com>#012
2023-10-11T12:13:49.324482+03:00 pmg pmg-smtp-filter[431471]: WARNING: check: dns_block_rule URIBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_multi.uribl.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny multi.uribl.com" to disable queries)
2023-10-11T12:13:49.334466+03:00 pmg pmg-smtp-filter[431471]: 1227DC6526674BD070F: SA score=0/5 time=1.446 bayes=undefined autolearn=disabled hits=DKIM_INVALID(0.1),DKIM_SIGNED(0.1),DMARC_MISSING(0.1),KAM_DMARC_STATUS(0.01),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),URIBL_BLOCKED(0.001),URIBL_DBL_BLOCKED_OPENDNS(0.001)
2023-10-11T12:13:49.337556+03:00 pmg postfix/smtpd[431412]: connect from localhost.localdomain[127.0.0.1]
2023-10-11T12:13:49.338881+03:00 pmg postfix/smtpd[431412]: 52B2B1227E4: client=localhost.localdomain[127.0.0.1], orig_client=batch.outbound.your-site.com[205.233.73.32]
2023-10-11T12:13:49.381789+03:00 pmg postfix/cleanup[431386]: 52B2B1227E4: message-id=<202310110913.39B9DG34333432@1098a9d7e562.web.vm.your-site.com>
2023-10-11T12:13:49.388456+03:00 pmg postfix/qmgr[694]: 52B2B1227E4: from=<eicar@aleph-tec.com>, size=4226, nrcpt=1 (queue active)
2023-10-11T12:13:49.388600+03:00 pmg postfix/smtpd[431412]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2023-10-11T12:13:49.388714+03:00 pmg pmg-smtp-filter[431471]: 1227DC6526674BD070F: accept mail to <aleksandr.polivaniy@metrans.com.ua> (52B2B1227E4) (rule: default-accept)
2023-10-11T12:13:49.391649+03:00 pmg pmg-smtp-filter[431471]: 1227DC6526674BD070F: processing time: 1.534 seconds (1.446, 0.027, 0)
2023-10-11T12:13:49.391966+03:00 pmg postfix/lmtp[431456]: A03F41203DE: to=<aleksandr.polivaniy@metrans.com.ua>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.9, delays=0.34/0/0.04/1.5, dsn=2.5.0, status=sent (250 2.5.0 OK (1227DC6526674BD070F))
2023-10-11T12:13:49.392072+03:00 pmg postfix/qmgr[694]: A03F41203DE: removed
2023-10-11T12:13:49.443405+03:00 pmg postfix/smtp[431478]: 52B2B1227E4: to=<aleksandr.polivaniy@metrans.com.ua>, relay=192.168.31.120[192.168.31.120]:25, delay=0.1, delays=0.05/0/0/0.05, dsn=2.0.0, status=sent (250 11454286 message accepted for delivery)
2023-10-11T12:13:49.443542+03:00 pmg postfix/qmgr[694]: 52B2B1227E4: removed
2023-10-11T12:13:49.765417+03:00 pmg pmg-smtp-filter[431442]: 1227E36526674C59531: SA score=0/5 time=1.347 bayes=undefined autolearn=disabled hits=DKIM_INVALID(0.1),DKIM_SIGNED(0.1),DMARC_MISSING(0.1),HTML_IMAGE_ONLY_04(0.342),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),MIME_HTML_ONLY(0.1),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),URIBL_BLOCKED(0.001),URIBL_DBL_BLOCKED_OPENDNS(0.001)
2023-10-11T12:13:49.768274+03:00 pmg postfix/smtpd[431067]: connect from localhost.localdomain[127.0.0.1]
2023-10-11T12:13:49.769399+03:00 pmg postfix/smtpd[431067]: BBCFC1203DE: client=localhost.localdomain[127.0.0.1], orig_client=batch.outbound.your-site.com[205.233.73.32]
2023-10-11T12:13:49.813777+03:00 pmg postfix/cleanup[431444]: BBCFC1203DE: message-id=<202310110913.39B9DGlp333444@1098a9d7e562.web.vm.your-site.com>
2023-10-11T12:13:49.816430+03:00 pmg postfix/qmgr[694]: BBCFC1203DE: from=<eicar@aleph-tec.com>, size=6682, nrcpt=1 (queue active)
2023-10-11T12:13:49.816606+03:00 pmg postfix/smtpd[431067]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2023-10-11T12:13:49.816734+03:00 pmg pmg-smtp-filter[431442]: 1227E36526674C59531: accept mail to <aleksandr.polivaniy@metrans.com.ua> (BBCFC1203DE) (rule: default-accept)
2023-10-11T12:13:49.819261+03:00 pmg pmg-smtp-filter[431442]: 1227E36526674C59531: processing time: 1.45 seconds (1.347, 0.04, 0)
2023-10-11T12:13:49.819589+03:00 pmg postfix/lmtp[431380]: 03D1D1227E2: to=<aleksandr.polivaniy@metrans.com.ua>, relay=127.0.0.1[127.0.0.1]:10024, delay=2, delays=0.49/0/0.04/1.5, dsn=2.5.0, status=sent (250 2.5.0 OK (1227E36526674C59531))
2023-10-11T12:13:49.819758+03:00 pmg postfix/qmgr[694]: 03D1D1227E2: removed
2023-10-11T12:13:49.870210+03:00 pmg postfix/smtp[431387]: BBCFC1203DE: to=<aleksandr.polivaniy@metrans.com.ua>, relay=192.168.31.120[192.168.31.120]:25, delay=0.1, delays=0.05/0/0/0.05, dsn=2.0.0, status=sent (250 11454287 message accepted for delivery)
2023-10-11T12:13:49.870344+03:00 pmg postfix/qmgr[694]: BBCFC1203DE: removed
2023-10-11T12:14:07.177865+03:00 pmg postfix/scache[431399]: statistics: start interval Oct 11 12:11:53
2023-10-11T12:14:07.178138+03:00 pmg postfix/scache[431399]: statistics: domain lookup hits=0 miss=3 success=0%
2023-10-11T12:14:07.178191+03:00 pmg postfix/scache[431399]: statistics: address lookup hits=0 miss=3 success=0%
2023-10-11T12:14:07.178238+03:00 pmg postfix/scache[431399]: statistics: max simultaneous domains=1 addresses=1 connection=1
2023-10-11T12:14:19.847486+03:00 pmg pmg-smtp-filter[698]: Killing "1" children
2023-10-11T12:15:03.372345+03:00 pmg pmgpolicy[697]: starting policy database maintenance (greylist, rbl)
2023-10-11T12:15:03.394303+03:00 pmg pmgpolicy[697]: end policy database maintenance (14 ms, 2 ms)
2023-10-11T12:15:10.005249+03:00 pmg pmg-smtp-filter[698]: starting database maintenance
2023-10-11T12:15:10.020717+03:00 pmg pmg-smtp-filter[698]: end database maintenance (15 ms)

The only mention of 'claim' in this file is as follows:

Code:
2023-10-10T16:34:52.633742+03:00 pmg kernel: [    1.024790] pci 0000:00:07.1: legacy IDE quirk: reg 0x18: [io  0x0170-0x0177]
2023-10-10T16:34:52.633742+03:00 pmg kernel: [    1.024792] pci 0000:00:07.1: legacy IDE quirk: reg 0x1c: [io  0x0376]
2023-10-10T16:34:52.633747+03:00 pmg kernel: [    1.036784] * Found PM-Timer Bug on the chipset. Due to workarounds for a bug,
2023-10-10T16:34:52.633748+03:00 pmg kernel: [    1.036784] * this clock source is slow. Consider trying other clock sources
2023-10-10T16:34:52.633765+03:00 pmg kernel: [    1.036786] pci 0000:00:07.3: [8086:7113] type 00 class 0x068000
2023-10-10T16:34:52.633766+03:00 pmg kernel: [    1.096862] pci 0000:00:07.3: quirk: [io  0x0400-0x043f] claimed by PIIX4 ACPI
2023-10-10T16:34:52.633767+03:00 pmg kernel: [    1.112784] pci 0000:00:08.0: [1414:5353] type 00 class 0x030000
2023-10-10T16:34:52.633771+03:00 pmg kernel: [    1.124785] pci 0000:00:08.0: reg 0x10: [mem 0xf8000000-0xfbffffff]
2023-10-10T16:34:52.633772+03:00 pmg kernel: [    1.236854] pci 0000:00:08.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]

Shouldn't there be mentions of the antivirus in the tracking center?5.JPG
 
The only mention of 'claim' in this file is as follows:
the service would match clam (without the 'i')

what's the output of:
* `systemctl status clamav-daemon`
* `systemctl status clamav-freshclam`
* `journalctl -u clamav-daemon`
* `journalctl -u clamav-freshclam`

(please post the output as text instead of screenshots)

on a unrelated note - it seems your PMG (or rather the DNS server it uses) runs into the ratelimit at certain important DNSBL services :
URIBL_BLOCKED(0.001),URIBL_DBL_BLOCKED_OPENDNS

check the Getting Started Page in the PMG wiki for some hints and valuable tips (also all linked pages):
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway

I hope this helps!
 
the service would match clam (without the 'i')
Yes, thank you, I didn't notice. Searching for 'clam' in syslog only shows self-check and database update entries, everything is OK.

Code:
root@pmg:~# systemctl status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
     Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/clamav-daemon.service.d
             └─extend.conf
     Active: active (running) since Tue 2023-10-10 16:52:01 EEST; 20h ago
TriggeredBy: ● clamav-daemon.socket
       Docs: man:clamd(8)
             man:clamd.conf(5)
             https://docs.clamav.net/
    Process: 4448 ExecStartPre=/bin/mkdir -p /run/clamav (code=exited, status=0/SUCCESS)
    Process: 4450 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
   Main PID: 4451 (clamd)
      Tasks: 6 (limit: 2138)
     Memory: 1.3G
        CPU: 1min 33.850s
     CGroup: /system.slice/clamav-daemon.service
             └─4451 /usr/sbin/clamd --foreground=true

Oct 11 11:35:12 pmg clamd[4451]: Reading databases from /var/lib/clamav/
Oct 11 11:35:12 pmg clamd[4451]: Reading databases from /var/lib/clamav/
Oct 11 11:35:30 pmg clamd[4451]: Database correctly reloaded (8674775 signatures)
Oct 11 11:35:30 pmg clamd[4451]: Activating the newly loaded database...
Oct 11 11:35:30 pmg clamd[4451]: Database correctly reloaded (8674775 signatures)
Oct 11 11:35:30 pmg clamd[4451]: Activating the newly loaded database...
Oct 11 11:58:16 pmg clamd[4451]: SelfCheck: Database status OK.
Oct 11 11:58:16 pmg clamd[4451]: SelfCheck: Database status OK.
Oct 11 12:58:29 pmg clamd[4451]: SelfCheck: Database status OK.
Oct 11 12:58:29 pmg clamd[4451]: SelfCheck: Database status OK.
Code:
root@pmg:~# systemctl status clamav-freshclam
● clamav-freshclam.service - ClamAV virus database updater
     Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; preset: enabled)
     Active: active (running) since Tue 2023-10-10 16:34:59 EEST; 20h ago
       Docs: man:freshclam(1)
             man:freshclam.conf(5)
             https://docs.clamav.net/
   Main PID: 590 (freshclam)
      Tasks: 1 (limit: 2138)
     Memory: 104.0M
        CPU: 7.158s
     CGroup: /system.slice/clamav-freshclam.service
             └─590 /usr/bin/freshclam -d --foreground=true

Oct 11 12:35:12 pmg freshclam[590]: ClamAV update process started at Wed Oct 11 12:35:12 2023
Oct 11 12:35:12 pmg freshclam[590]: Received signal: wake up
Oct 11 12:35:12 pmg freshclam[590]: ClamAV update process started at Wed Oct 11 12:35:12 2023
Oct 11 12:35:12 pmg freshclam[590]: daily.cld database is up-to-date (version: 27058, sigs: 2042890, f-level: 90, builder: raynman)
Oct 11 12:35:12 pmg freshclam[590]: main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Oct 11 12:35:12 pmg freshclam[590]: daily.cld database is up-to-date (version: 27058, sigs: 2042890, f-level: 90, builder: raynman)
Oct 11 12:35:12 pmg freshclam[590]: bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Oct 11 12:35:12 pmg freshclam[590]: main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Oct 11 12:35:12 pmg freshclam[590]: bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Oct 11 12:35:12 pmg freshclam[590]: --------------------------------------
Code:
root@pmg:~# journalctl -u clamav-daemon
Jul 10 15:04:04 pmg systemd[1]: Starting clamav-daemon.service - Clam AntiVirus userspace daemon...
Jul 10 15:04:04 pmg systemd[1]: Started clamav-daemon.service - Clam AntiVirus userspace daemon.
Jul 10 15:04:04 pmg clamd[615]: Received 1 file descriptor(s) from systemd.
Jul 10 15:04:04 pmg clamd[615]: clamd daemon 1.0.1 (OS: Linux, ARCH: x86_64, CPU: x86_64)
Jul 10 15:04:04 pmg clamd[615]: Log file size limited to 4294967295 bytes.
Jul 10 15:04:04 pmg clamd[615]: Reading databases from /var/lib/clamav/
Jul 10 15:04:04 pmg clamd[615]: Not loading PUA signatures.
Jul 10 15:04:04 pmg clamd[615]: Bytecode: Security mode set to "TrustSigned".
Jul 10 15:04:04 pmg clamd[615]: LibClamAV Warning: **************************************************
Jul 10 15:04:04 pmg clamd[615]: LibClamAV Warning: ***  The virus database is older than 7 days!  ***
Jul 10 15:04:04 pmg clamd[615]: LibClamAV Warning: ***   Please update it as soon as possible.    ***
Jul 10 15:04:04 pmg clamd[615]: LibClamAV Warning: **************************************************
Jul 10 15:04:47 pmg clamd[615]: Loaded 8669609 signatures.
Jul 10 15:04:54 pmg clamd[615]: TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket received from systemd.
Jul 10 15:04:54 pmg clamd[615]: LOCAL: Received AF_UNIX SOCK_STREAM socket from systemd.
Jul 10 15:04:54 pmg clamd[615]: Limits: Global time limit set to 120000 milliseconds.
Jul 10 15:04:54 pmg clamd[615]: Limits: Global size limit set to 100000000 bytes.
Jul 10 15:04:54 pmg clamd[615]: Limits: File size limit set to 25000000 bytes.
Jul 10 15:04:54 pmg clamd[615]: Limits: Recursion level limit set to 5.
Jul 10 15:04:54 pmg clamd[615]: Limits: Files limit set to 1000.
Jul 10 15:04:54 pmg clamd[615]: Limits: MaxEmbeddedPE limit set to 41943040 bytes.
Jul 10 15:04:54 pmg clamd[615]: Limits: MaxHTMLNormalize limit set to 41943040 bytes.
Jul 10 15:04:54 pmg clamd[615]: Limits: MaxHTMLNoTags limit set to 8388608 bytes.
Jul 10 15:04:54 pmg clamd[615]: Limits: MaxScriptNormalize limit set to 20971520 bytes.
Jul 10 15:04:54 pmg clamd[615]: Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Jul 10 15:04:54 pmg clamd[615]: Limits: MaxPartitions limit set to 50.
Jul 10 15:04:54 pmg clamd[615]: Limits: MaxIconsPE limit set to 100.
Jul 10 15:04:54 pmg clamd[615]: Limits: MaxRecHWP3 limit set to 16.
Jul 10 15:04:54 pmg clamd[615]: Limits: PCREMatchLimit limit set to 100000.
Jul 10 15:04:54 pmg clamd[615]: Limits: PCRERecMatchLimit limit set to 2000.
Jul 10 15:04:54 pmg clamd[615]: Limits: PCREMaxFileSize limit set to 104857600.
Jul 10 15:04:54 pmg clamd[615]: Archive support enabled.
Jul 10 15:04:54 pmg clamd[615]: AlertExceedsMax heuristic detection disabled.
Jul 10 15:04:54 pmg clamd[615]: Heuristic alerts enabled.
Jul 10 15:04:54 pmg clamd[615]: Portable Executable support enabled.
Jul 10 15:04:54 pmg clamd[615]: ELF support enabled.
Jul 10 15:04:54 pmg clamd[615]: Alerting on broken executables enabled.
Jul 10 15:04:54 pmg clamd[615]: Mail files support enabled.
Jul 10 15:04:54 pmg clamd[615]: OLE2 support enabled.
Jul 10 15:04:54 pmg clamd[615]: PDF support enabled.
Jul 10 15:04:54 pmg clamd[615]: SWF support enabled.
Jul 10 15:04:54 pmg clamd[615]: HTML support enabled.
Jul 10 15:04:54 pmg clamd[615]: XMLDOCS support enabled.
Jul 10 15:04:54 pmg clamd[615]: HWP3 support enabled.
Jul 10 15:04:54 pmg clamd[615]: Self checking every 3600 seconds.
Jul 10 15:04:54 pmg clamd[615]: Limits: Global time limit set to 120000 milliseconds.
Jul 10 15:04:54 pmg clamd[615]: Reading databases from /var/lib/clamav/
Jul 10 15:04:54 pmg clamd[615]: Limits: Global size limit set to 100000000 bytes.
Jul 10 15:04:54 pmg clamd[615]: Limits: File size limit set to 25000000 bytes.
Jul 10 15:04:54 pmg clamd[615]: Limits: Recursion level limit set to 5.
Jul 10 15:04:54 pmg clamd[615]: Limits: Files limit set to 1000.
Jul 10 15:04:54 pmg clamd[615]: Limits: MaxEmbeddedPE limit set to 41943040 bytes.
Jul 10 15:04:54 pmg clamd[615]: Limits: MaxHTMLNormalize limit set to 41943040 bytes.
Jul 10 15:04:54 pmg clamd[615]: Limits: MaxHTMLNoTags limit set to 8388608 bytes.
Jul 10 15:04:54 pmg clamd[615]: Limits: MaxScriptNormalize limit set to 20971520 bytes.
Jul 10 15:04:54 pmg clamd[615]: Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Code:
root@pmg:~# journalctl -u clamav-freshclam
Jul 10 15:04:04 pmg systemd[1]: Started clamav-freshclam.service - ClamAV virus database updater.
Jul 10 15:04:04 pmg freshclam[606]: freshclam daemon 1.0.1 (OS: Linux, ARCH: x86_64, CPU: x86_64)
Jul 10 15:04:04 pmg freshclam[606]: ClamAV update process started at Mon Jul 10 15:04:04 2023
Jul 10 15:04:04 pmg freshclam[606]: ClamAV update process started at Mon Jul 10 15:04:04 2023
Jul 10 15:04:04 pmg freshclam[606]: Pruning unwanted or deprecated database file safebrowsing.cvd.
Jul 10 15:04:04 pmg freshclam[606]: daily database available for update (local version: 26953, remote version: 26965)
Jul 10 15:04:04 pmg freshclam[606]: daily database available for update (local version: 26953, remote version: 26965)
Jul 10 15:04:20 pmg freshclam[606]: Testing database: '/var/lib/clamav//tmp.8b8070cc96/clamav-440312585931990c556555265a2af2fb.tmp-daily.cld' ...
Jul 10 15:04:20 pmg freshclam[606]: Testing database: '/var/lib/clamav//tmp.8b8070cc96/clamav-440312585931990c556555265a2af2fb.tmp-daily.cld' ...
Jul 10 15:04:37 pmg freshclam[606]: Database test passed.
Jul 10 15:04:37 pmg freshclam[606]: daily.cld updated (version: 26965, sigs: 2038809, f-level: 90, builder: raynman)
Jul 10 15:04:37 pmg freshclam[606]: Database test passed.
Jul 10 15:04:37 pmg freshclam[606]: daily.cld updated (version: 26965, sigs: 2038809, f-level: 90, builder: raynman)
Jul 10 15:04:37 pmg freshclam[606]: main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Jul 10 15:04:37 pmg freshclam[606]: main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Jul 10 15:04:37 pmg freshclam[606]: bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Jul 10 15:04:37 pmg freshclam[606]: bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Jul 10 15:04:54 pmg freshclam[606]: Clamd successfully notified about the update.
Jul 10 15:04:54 pmg freshclam[606]: Clamd successfully notified about the update.
Jul 10 15:04:54 pmg freshclam[606]: --------------------------------------
Jul 10 15:46:04 pmg systemd[1]: Stopping clamav-freshclam.service - ClamAV virus database updater...
Jul 10 15:46:04 pmg freshclam[606]: Update process terminated
Jul 10 15:46:04 pmg freshclam[606]: Update process terminated
Jul 10 15:46:04 pmg systemd[1]: clamav-freshclam.service: Deactivated successfully.
Jul 10 15:46:04 pmg systemd[1]: Stopped clamav-freshclam.service - ClamAV virus database updater.
Jul 10 15:46:04 pmg systemd[1]: clamav-freshclam.service: Consumed 20.281s CPU time.
-- Boot 2dcdde9750364623ab3036b9b454dc28 --
Jul 10 15:46:43 pmg systemd[1]: Started clamav-freshclam.service - ClamAV virus database updater.
Jul 10 15:46:43 pmg freshclam[585]: ClamAV update process started at Mon Jul 10 15:46:43 2023
Jul 10 15:46:43 pmg freshclam[585]: freshclam daemon 1.0.1 (OS: Linux, ARCH: x86_64, CPU: x86_64)
Jul 10 15:46:43 pmg freshclam[585]: ClamAV update process started at Mon Jul 10 15:46:43 2023
Jul 10 15:46:43 pmg freshclam[585]: daily.cld database is up-to-date (version: 26965, sigs: 2038809, f-level: 90, builder: raynman)
Jul 10 15:46:43 pmg freshclam[585]: main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Jul 10 15:46:43 pmg freshclam[585]: bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Jul 10 15:46:43 pmg freshclam[585]: daily.cld database is up-to-date (version: 26965, sigs: 2038809, f-level: 90, builder: raynman)
Jul 10 15:46:43 pmg freshclam[585]: main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Jul 10 15:46:43 pmg freshclam[585]: bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Jul 10 15:46:43 pmg freshclam[585]: --------------------------------------
Jul 10 15:56:33 pmg systemd[1]: Stopping clamav-freshclam.service - ClamAV virus database updater...
Jul 10 15:56:33 pmg freshclam[585]: Update process terminated
Jul 10 15:56:33 pmg freshclam[585]: Update process terminated
Jul 10 15:56:33 pmg systemd[1]: clamav-freshclam.service: Deactivated successfully.
Jul 10 15:56:33 pmg systemd[1]: Stopped clamav-freshclam.service - ClamAV virus database updater.
-- Boot b5548fa9d2194f8a9f2a593e5103b82a --
Jul 10 15:57:09 pmg systemd[1]: Started clamav-freshclam.service - ClamAV virus database updater.
Jul 10 15:57:09 pmg freshclam[587]: freshclam daemon 1.0.1 (OS: Linux, ARCH: x86_64, CPU: x86_64)
Jul 10 15:57:09 pmg freshclam[587]: ClamAV update process started at Mon Jul 10 15:57:09 2023
Jul 10 15:57:09 pmg freshclam[587]: ClamAV update process started at Mon Jul 10 15:57:09 2023
Jul 10 15:57:09 pmg freshclam[587]: daily.cld database is up-to-date (version: 26965, sigs: 2038809, f-level: 90, builder: raynman)
Jul 10 15:57:09 pmg freshclam[587]: daily.cld database is up-to-date (version: 26965, sigs: 2038809, f-level: 90, builder: raynman)
Jul 10 15:57:09 pmg freshclam[587]: main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Jul 10 15:57:09 pmg freshclam[587]: bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Jul 10 15:57:09 pmg freshclam[587]: main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
Jul 10 15:57:09 pmg freshclam[587]: bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
Jul 10 15:57:09 pmg freshclam[587]: --------------------------------------
Jul 10 16:57:09 pmg freshclam[587]: Received signal: wake up

I think we need to look for the problem not in the Debian console, but in the routes and rules of PMG itself. It feels like the 'Block Viruses' rule in MailFilter, while active, is not being applied. Or What Objects - 'Virus' is not being applied to incoming emails
 
I think we need to look for the problem not in the Debian console, but in the routes and rules of PMG itself. It feels like the 'Block Viruses' rule in MailFilter, while active, is not being applied. Or What Objects - 'Virus' is not being applied to incoming emails
As said - depending on what you're testing with it should work for mails coming in on the external port in the default ruleset
What could happen is that the particular test (website or local mail) is not working

service looks ok and running

How are you testing? did you use anything apart from the aleph-tec tests (which I don't think work anymore)?
 
I received an email, spam with a virus-infected *.docx in a regular .zip archive. Windows Defender caught and removed the virus, but I started to investigate why the email got through on PMG and how it happened. However, I encountered this problem - the antivirus on PMG doesn't catch anything at all and doesn't even attempt to do so. I found mention of this test here on the forum in topics discussing ClamAV's poor performance, but at least it catches something. I checked this email with the 'stationary' ClamAV antivirus on my Windows computer, and it detects it as a virus, which means PMG should have recognized it, but it seems it's not scanning emails for viruses.

If the antivirus is working and rules are sending emails to it for scanning, there should be some log files of the antivirus's operation, scan reports, mentions in the tracking center that the email was tested by the antivirus, and attachments were scanned by the antivirus. Can you show a screenshot of your tracking center with a blocked email due to a virus?
 
Here you go (after replacing domain-names and ips):
Oct 12 12:01:25 pmg8 postfix/postscreen[27159]: CONNECT from [192.0.2.70]:59968 to [192.0.2.66]:25
Oct 12 12:01:25 pmg8 postfix/postscreen[27159]: WHITELISTED [192.0.2.70]:59968
Oct 12 12:01:25 pmg8 postfix/smtpd[27161]: connect from pmgsender[192.0.2.70]
Oct 12 12:01:25 pmg8 pmgpolicy[27180]: reloading configuration Proxmox_ruledb
Oct 12 12:01:25 pmg8 postfix/smtpd[27161]: NOQUEUE: client=pmgsender[192.0.2.70]
Oct 12 12:01:25 pmg8 pmg-smtp-filter[20591]: 2023/10/12-12:01:25 CONNECT TCP Peer: "[127.0.0.1]:59056" Local: "[127.0.0.1]:10024"
Oct 12 12:01:25 pmg8 pmg-smtp-filter[20591]: 605CF6527C3F57DD89: new mail message-id=<20231012100126.GB866@pmgsender.sender.domain>
Oct 12 12:01:25 pmg8 clamd[18944]: /var/spool/pmg/active/605CF6527C3F57DD89: Eicar-Signature FOUND
Oct 12 12:01:25 pmg8 clamd[18944]: /var/spool/pmg/active/605CF6527C3F57DD89: Eicar-Signature FOUND
Oct 12 12:01:25 pmg8 pmg-smtp-filter[20591]: 605CF6527C3F57DD89: virus detected: Eicar-Signature (clamav)
Oct 12 12:01:25 pmg8 pmg-smtp-filter[20591]: 605CF6527C3F57DD89: SA score=1/5 time=0.263 bayes=undefined autolearn=disabled hits=ALL_TRUSTED(-1),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),PDS_BRAND_SUBJ_NAKED_TO(0.999),SPF_NONE(0.001)
Oct 12 12:01:25 pmg8 postfix/smtpd[27190]: connect from localhost[127.0.0.1]
Oct 12 12:01:25 pmg8 postfix/smtpd[27190]: C53AF6084A: client=localhost[127.0.0.1]
Oct 12 12:01:25 pmg8 postfix/cleanup[27191]: C53AF6084A: message-id=<20231012100125.C53AF6084A@pmg8.sender.domain>
Oct 12 12:01:25 pmg8 postfix/smtpd[27190]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 commands=4
Oct 12 12:01:25 pmg8 pmg-smtp-filter[20591]: 605CF6527C3F57DD89: notify <admin@admin.domain> (rule: Block Viruses, C53AF6084A)
Oct 12 12:01:25 pmg8 postfix/qmgr[788]: C53AF6084A: from=<postmaster@pmg8.sender.domain>, size=1373, nrcpt=1 (queue active)
Oct 12 12:01:25 pmg8 postfix/smtp[27192]: Trusted TLS connection established to mail.admin.domain[192.168.2.33]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)
Oct 12 12:01:25 pmg8 pmg-smtp-filter[20591]: 605CF6527C3F57DD89: moved mail for <user@receiver.domain> to virus quarantine - 608C66527C3F5D45DD (rule: Block Viruses)
Oct 12 12:01:25 pmg8 pmg-smtp-filter[20591]: 605CF6527C3F57DD89: processing time: 0.363 seconds (0.263, 0.016, 0)
Oct 12 12:01:25 pmg8 postfix/smtpd[27161]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (605CF6527C3F57DD89); from=<user@pmgsender.sender.domain> to=<user@receiver.domain> proto=ESMTP helo=<pmgsender.sender.domain>
Oct 12 12:01:25 pmg8 postfix/smtpd[27161]: disconnect from pmgsender[192.0.2.70] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 12 12:01:26 pmg8 postfix/smtp[27192]: C53AF6084A: to=<admin@admin.domain>, relay=mail.admin.domain[192.0.2.33]:25, delay=0.59, delays=0.06/0/0.05/0.48, dsn=2.5.0, status=sent (250 2.5.0 OK (44A0F6527C3F6A4330))
Oct 12 12:01:26 pmg8 postfix/qmgr[788]: C53AF6084A: removed

I send a mail with an attachment called `eicar.com` (and containing the eicar signature) from a mail-server to a domain handled by the PMG in question.

I hope this helps!
 
Hi!
Got the same issue here.
journalctl -u clamav-daemon & journalctl -u clamav-freshclam show only database update records

I sent EICAR string in the body and as an attachment - it was delivered successfully

Do I need to install clamsmtp?
cause it's not installed by default with Proxmox Mail Gateway image
 
Do I need to install clamsmtp?
no it's not needed - pmg-smtp-filter calls clamdscan
please share the logs of the system since boot

as said - here it works just fine when sending a mail containing the eicar signature
 
no it's not needed - pmg-smtp-filter calls clamdscan
please share the logs of the system since boot

as said - here it works just fine when sending a mail containing the eicar signature
After testing from inside network with no antivirus on laptop and then from another online service, eicar was successfully detected.
So looks like everything is working fine
My excuses ))
 
  • Like
Reactions: Stoiko Ivanov
Thanks for trying again and verifying it works!

Sadly (or rather actually it's good that way) it's quite hard to send well-known viruses in e-mail across the internet :)
 
Hello. The antivirus really works without any intervention. A week ago, I caught an email with a virus. I don't know if it catches everything, but it caught something. But the question remains open - why is there no logging of the antivirus's work? A negative check is still important information.
 
Hello. The antivirus really works without any intervention. A week ago, I caught an email with a virus. I don't know if it catches everything, but it caught something. But the question remains open - why is there no logging of the antivirus's work? A negative check is still important information.

This is how I find it in the log:
tail -f /var/log/syslog | grep clam

More specific, you can do this:
tail -f /var/log/syslog | egrep "virus detected"

Then I get this:
2024-05-15T12:58:12.300544+02:00 anti-spam-gateway pmg-smtp-filter[7258]: 412CA6644954434F73: virus detected: Eicar-Signature (clamav)

In the UI I one can see this:
1715771411683.png

The only anomaly I found on a new installation was that `clamav-freshclam` wasn't started:
# systemctl status clamav-freshclam
○ clamav-freshclam.service - ClamAV virus database updater
Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; disabled; preset: enabled)
Active: inactive (dead)
Docs: man:freshclam(1)
man:freshclam.conf(5)
https://docs.clamav.net/

But of course that was quickly sorted out with:

systemctl start clamav-freshclam
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!