PMG 6.1 how to add antivirus?

Hello all ,
As mush as I know , efs is not free , I do use it and it is very good.
Currently it does not miss any check and it is very comprehensive so far.
I did stop using clamav because it is high appetite for ram and not that comprehensive.
 
Hello all ,
As mush as I know , efs is not free , I do use it and it is very good.
Currently it does not miss any check and it is very comprehensive so far.
I did stop using clamav because it is high appetite for ram and not that comprehensive.
Can you share the link to buy it? How much?
Thx.
 
Hello all,

I just wanted to provide another example code to integrate F-Secure Atlant via Icap. as this utilizes the icap protocol it should be easy to adapt to any other icap-compatible anti-virus-solution.

For better understanding: "atlant" is the product name of the F-Secure Icap Service. You may want to adapt this matching to your product.

Prereqesites:
  • Installed c-icap-client on pmg (apt install c-icap)
  • Up and running icap service (either on localhost or elsewhere)
  • /etc/hosts entry having the name "atlant" pointing to your atlant-server (just in case of this example. If you run another icap system just adapt the script)
Change pmg.cfg:
In the admin-section add:
Code:
pmg.admin.custom_check = 1

Build /usr/local/bin/pmg-custom-check :
I adapted the following code from the official proxmox example I found in the documentatioin. So you may also want to look there.
As usual this code comes without any warranty. it is not the most sophisticated piece of software and also has NOT been heavily tested. Read it. Understand it. Use it on your own risk. Improve it and post your improvements here ;)

It is a bit hacky as c-icap-client is not meant to do this job and is posting it's headers to stderr. (thats why 2 ist redirected to 1 in order to capture those headers containing infection-information)

Again: USE AT OWN RISK AND GOOD LUCK :)

Bash:
#!/bin/sh

if [ "$#" -ne 2 ]; then
  echo "usage: $0 APIVERSION QUEUEFILENAME" 1>&2
  exit 1
fi

apiver="$1"
shift

if [ "$apiver" != "v1" ]; then
  echo "wrong APIVERSION: $apiver" 1>&2
  exit 2
fi

queue_file="$1"

echo "v1"

ATLANT="atlant"

result="$(c-icap-client -i "$ATLANT" -v -f "$queue_file" 2>&1 | grep -F 'X-FSecure-Infection-Name')"
infected=$?

if [ "$infected" = "1" ]; then
    echo OK
else
    echo "VIRUS: $(echo $result | awk '{ print $2 }' )"
fi

put the executable flag (chmod +x) and test test:
Code:
# /usr/local/bin/pmg-custom-check v1 testfile
v1
VIRUS: "Malware.Eicar-Test-Signature"

Code:
# /usr/local/bin/pmg-custom-check v1 /etc/hosts
v1
OK

Have fun.

Regards
Matthias
 
Last edited:
look at https://forum.proxmox.com/threads/how-to-integrate-eset-antivirus-with-pmg.49788/post-238553
has been running for 2 years with Eset file security for linux

Now, the code example for /usr/local/bin/pmg-custom-check

Code:
#!/usr/bin/perl -w
use strict;
use warnings;
use Data::Dumper qw(Dumper);
use File::Copy "cp";

my $av_name    = "Eset";
my $av_version = "0.0";

## V4.X
my $esets_bin = "/opt/eset/esets/sbin/esets_scan";
my $esets_arg = "--clean-mode=none";

## V7.X
my $efs_bin  = "/opt/eset/efs/sbin/cls/cls";
my $efs_arg  = "--clean-mode=none";
my $efs_bdir = "--base-dir=/var/opt/eset/efs/lib";

## logger to /var/log/syslog
my $logger_bin = "/usr/bin/logger";
my $logger_arg = "-i";

## debug files under ...
my $debug     = 0;
my $debug_dir = "/tmp/debug/";

## block passwd-protected / damaged archive ?
my $strict = 0;
mkdir $debug_dir;
my $cmd;

open( my $logger, "| $logger_bin $logger_arg " );

$av_version = "4.X" if ( -e $esets_bin );
$av_version = "7.X" if ( -e $efs_bin );

my $apiversion = shift || die 'APIVERSION required.';
my $filename   = shift || die 'QUEUEFILENAME required.';

die "Wrong AV Version."   if ( $av_version eq "0.0" );
die "Wrong API Version."  if ( $apiversion ne "v1" );
die "FILENAME not found." if ( !-e $filename );
if ( $av_version eq "4.X" ) { open( $cmd, '-|', $esets_bin, $esets_arg, $filename ) || die "can't exec esets scan: $! : ERROR"; }
if ( $av_version eq "7.X" ) { open( $cmd, '-|', $efs_bin, $efs_bdir, $efs_arg, $filename ) || die "can't exec esets scan: $! : ERROR"; }

my $vinfo = "OK";

while ( defined( my $line = <$cmd> ) ) {
    chomp $line;

    print $logger "DEBUG:" . $line, "\n" if ( $debug > 0 );
    $line =~ s/result=/threat=/g if ( $av_version eq "7.X" );
    if ( $line =~ m/^name=\"(.*)\".*threat=\"(.*)\".*action=\"(.*)\".*info=\"(.*)\"$/ ) {
        next if ( ( $strict < 1 ) && ( $4 =~ m/password-protected/g || $4 =~ m/archive damaged/g ) );
        $vinfo = "VIRUS: " . $2 . " " . $4 . "($av_name)";
        next if $2;

        print $logger "DEBUG: " . $vinfo, "\n" if ( $debug > 0 );
    }
}
cp( $filename, $debug_dir )
  if ( $vinfo ne "OK" && not -e $debug_dir . $filename && $debug > 1 );
print join( "\n", "v1", $vinfo );
print $logger join( " ", "pmg-custom-check", $vinfo, $filename ) . "\n" if ( $debug > 0 );
close($logger);
exit 0;

don't forget
chmod +x /usr/local/bin/pmg-custom-check

under /etc/pmg/pmg.conf

section: admin
custom_check 1

Cheers
quick question, what are the price ranges for servers?
 
hello,

thank you for your great work

We have a corporate eset license and I tried to get it to run with current versions

I installed a Test PMG 7.0-8

installed era agent via server push -> worked
installed era antivirus for business 4.x -> failed due to some missing dependencies
found out antivirus for business goes out of support

downloaded endpoint security from https://www.eset.com/de/business/download/endpoint-antivirus-linux/

installed via apt-get
worked
activated from era server

found /opt/eset/eea/bin/odscan as on demand scanner

found out syntax for use is
/opt/eset/eea/bin/odscan -s --profile="@In-depth scan" /bin/eicarexample

gives no result but deletes file or if clean, file is untouched...


changed code like:

Code:
#!/usr/bin/perl -w
use strict;
use warnings;
use Data::Dumper qw(Dumper);
use File::Copy "cp";

my $av_name    = "Eset";
my $av_version = "0.0";

## V4.X
my $esets_bin = "/opt/eset/esets/sbin/esets_scan";
my $esets_arg = "--clean-mode=none";

## V7.X
my $efs_bin  = "/opt/eset/efs/sbin/cls/cls";
my $efs_arg  = "--clean-mode=none";
my $efs_bdir = "--base-dir=/var/opt/eset/efs/lib";

## V8.X
my $eea_bin  = "/opt/eset/eea/bin/odscan";
my $eea_arg  = "-s";
my $eea_profile = '--profile=@In-depth scan';

## logger to /var/log/syslog
my $logger_bin = "/usr/bin/logger";
my $logger_arg = "-i";

## debug files under ...
my $debug     = 1;
my $debug_dir = "/tmp/debug/";

## block passwd-protected / damaged archive ?
my $strict = 0;
mkdir $debug_dir;
my $cmd;

open( my $logger, "| $logger_bin $logger_arg " );

$av_version = "4.X" if ( -e $esets_bin );
$av_version = "7.X" if ( -e $efs_bin );
$av_version = "8.X" if ( -e $eea_bin );

my $apiversion = shift || die 'APIVERSION required.';
my $filename   = shift || die 'QUEUEFILENAME required.';

die "Wrong AV Version."   if ( $av_version eq "0.0" );
die "Wrong API Version."  if ( $apiversion ne "v1" );
die "FILENAME not found." if ( !-e $filename );
if ( $av_version eq "4.X" ) { open( $cmd, '-|', $esets_bin, $esets_arg, $filename ) || die "can't exec esets scan: $! : ERROR"; }
if ( $av_version eq "7.X" ) { open( $cmd, '-|', $efs_bin, $efs_bdir, $efs_arg, $filename ) || die "can't exec esets scan: $! : ERROR"; }
if ( $av_version eq "8.X" ) { open( $cmd, '-|', $eea_bin, $eea_arg, $eea_profile, $filename ) || die "can't exec esets scan: $! : ERROR"; }

my $vinfo = "OK";

while ( defined( my $line = <$cmd> ) ) {
    chomp $line;


    print $logger "DEBUG:" . $line, "\n" if ( $debug > 0 );
    $line =~ s/result=/threat=/g if ( $av_version eq "7.X" );
    if ( $line =~ m/^name=\"(.*)\".*threat=\"(.*)\".*action=\"(.*)\".*info=\"(.*)\"$/ ) {
        next if ( ( $strict < 1 ) && ( $4 =~ m/password-protected/g || $4 =~ m/archive damaged/g ) );
        $vinfo = "VIRUS: " . $2 . " " . $4 . "($av_name)";
        next if $2;

        print $logger "DEBUG: " . $vinfo, "\n" if ( $debug > 0 );
    }
}
cp( $filename, $debug_dir )
  if ( $vinfo ne "OK" && not -e $debug_dir . $filename && $debug > 1 );
print join( "\n", "v1", $vinfo );
print $logger join( " ", "pmg-custom-check", $vinfo, $filename ) . "\n" if ( $debug > 0 );
close($logger);
exit 0;

after some trial (because of the @in profile name)and error I get no message anymore in syslog

but testmail with eicar test virusses passes the system

any suggestions?

Dirk
 
Last edited:
Hello Dirk ,
I think you going wrong with the all process.
I do use it for very long now (Eset A\V) and according to my knowledge EFS is the right ver to use.
I'm using the custom ver of the script (located at : /usr/local/bin/pmg-custom-check )
which is working fine for EFS ver 7 + 8.

Koby Peleg Hen
 
Dear @koby

Hello Dirk ,
I think you going wrong with the all process.
yo were 100% right. I took the wrong product.

I took the endpoint security for Linux, Instead I now took Server security for linux and immediately the script was running fine.

I now installed it to our 2 productive PGM machines and it seems to work without problems. Only thing is the mail processing time goes up from 1 second to 10 seconds per mail (in my test environment). On productive systems I can not say, cause it ware 12hr average values. When I count in syslog it seems to be at least 6 secons per mail.

One question: -if not disabled, does the clamav also scan every mail?
 
Dear @koby


yo were 100% right. I took the wrong product.

I took the endpoint security for Linux, Instead I now took Server security for linux and immediately the script was running fine.

I now installed it to our 2 productive PGM machines and it seems to work without problems. Only thing is the mail processing time goes up from 1 second to 10 seconds per mail (in my test environment). On productive systems I can not say, cause it ware 12hr average values. When I count in syslog it seems to be at least 6 secons per mail.

One question: -if not disabled, does the clamav also scan every mail?
Hello Dirk ,
I disabled the clamav as soon as possible , because it is eating memory like monster.... and a lot of false positive.
I did disable it (and musk it as well ==> not to be unable on reboot...) completely BUT !!! in case you want to make an upgrade you MUST enable it for the upgrading process and disable it later on.
I home that does help someone.

Koby Peleg Hen
 
i have a problem with the latest ESET Server Security 8.1.x for Linux. The pmg-custom-check script works fine, if i run it under the console for a test.

Code:
/usr/local/bin/pmg-custom-check v1 /tmp/eicar/eicarcom2.zip
v1
VIRUS: Eicar test file (Eset)

but if i send me the same eicar file over email or scan the mail in the spool directory, the virus will not found.

Code:
usr/local/bin/pmg-custom-check v1 /var/spool/pmg/attachment/14/1404D661600FBE3A014
v1
OK

Code:
Oct  8 14:27:24 pmg root[12499]: DEBUG:
Oct  8 14:27:24 pmg root[12499]: DEBUG:ECLS Command-line scanner, version 1.1.1.0, Copyright © 1992-2021 ESET, spol. s r. o. All rights reserved.
Oct  8 14:27:24 pmg root[12499]: DEBUG:Module loader, version 1077 (20200622), build 1140
Oct  8 14:27:24 pmg root[12499]: DEBUG:Module perseus, version 1580.2 (20211006), build 2248
Oct  8 14:27:24 pmg root[12499]: DEBUG:Module scanner, version 24092 (20211008), build 51092
Oct  8 14:27:24 pmg root[12499]: DEBUG:Module archiver, version 1323 (20210914), build 1391
Oct  8 14:27:24 pmg root[12499]: DEBUG:Module advheur, version 1210 (20210825), build 1211
Oct  8 14:27:24 pmg root[12499]: DEBUG:
Oct  8 14:27:24 pmg root[12499]: DEBUG:Command line: --base-dir=/var/opt/eset/efs/lib --clean-mode=none /var/spool/pmg/active/1404DA6160392651388
Oct  8 14:27:24 pmg root[12499]: DEBUG:
Oct  8 14:27:24 pmg root[12499]: DEBUG:Scan started at:   Fri Oct  8 14:27:24 2021
Oct  8 14:27:24 pmg root[12499]: DEBUG:
Oct  8 14:27:24 pmg root[12499]: DEBUG:Scan completed at: Fri Oct  8 14:27:24 2021
Oct  8 14:27:24 pmg root[12499]: DEBUG:Scan time:         0 sec (0:00:00)
Oct  8 14:27:24 pmg root[12499]: DEBUG:Total:             files - 1, objects 3
Oct  8 14:27:24 pmg root[12499]: DEBUG:Detected:          files - 0, objects 0
Oct  8 14:27:24 pmg root[12499]: DEBUG:Cleaned:           files - 0, objects 0
Oct  8 14:27:24 pmg root[12499]: DEBUG:
Oct  8 14:27:24 pmg root[12499]: pmg-custom-check OK /var/spool/pmg/active/1404DA6160392651388
 
Last edited:
I have the same problem ,
If the ecar is on the body it does found it , if it is attach file, eset does not found it , I still try to figer this out.
As for now it is seems that the eset is not the problem since I try the ecar virus directly on the host and it did found it.
I will update if i find somting.

Koby Peleg Hen
 
ok, Problem solved. The "eicar.com" didn't worked. I have then tried the "eicar.zip" and it was found as a virus.

Code:
Oct 10 01:19:08 pmg root[19723]: DEBUG:
Oct 10 01:19:08 pmg root[19723]: DEBUG:ECLS Command-line scanner, version 1.1.1.0, Copyright © 1992-2021 ESET, spol. s r. o. All rights reserved.
Oct 10 01:19:08 pmg root[19723]: DEBUG:Module loader, version 1077 (20200622), build 1140
Oct 10 01:19:08 pmg root[19723]: DEBUG:Module perseus, version 1580.2 (20211006), build 2248
Oct 10 01:19:08 pmg root[19723]: DEBUG:Module scanner, version 24099 (20211009), build 51106
Oct 10 01:19:08 pmg root[19723]: DEBUG:Module archiver, version 1323 (20210914), build 1391
Oct 10 01:19:08 pmg root[19723]: DEBUG:Module advheur, version 1210 (20210825), build 1211
Oct 10 01:19:08 pmg root[19723]: DEBUG:
Oct 10 01:19:08 pmg root[19723]: DEBUG:Command line: --base-dir=/var/opt/eset/efs/lib --clean-mode=none /var/spool/pmg/active/100F9061622366CC830
Oct 10 01:19:08 pmg root[19723]: DEBUG:
Oct 10 01:19:08 pmg root[19723]: DEBUG:Scan started at:   Sun Oct 10 01:19:08 2021
Oct 10 01:19:08 pmg root[19723]: DEBUG:name="/var/spool/pmg/active/100F9061622366CC830", result="Eicar test file", action="retained", info=""
Oct 10 01:19:08 pmg root[19723]: DEBUG:name="/var/spool/pmg/active/100F9061622366CC830 >> MIME >> eicar.zip", result="Eicar test file", action="retained", info=""
Oct 10 01:19:08 pmg root[19723]: DEBUG:name="/var/spool/pmg/active/100F9061622366CC830 >> MIME >> eicar.zip >> ZIP >> eicar.com", result="Eicar test file", action="retained", info=""
Oct 10 01:19:08 pmg root[19723]: DEBUG:
Oct 10 01:19:08 pmg root[19723]: DEBUG:Scan completed at: Sun Oct 10 01:19:08 2021
Oct 10 01:19:08 pmg root[19723]: DEBUG:Scan time:         0 sec (0:00:00)
Oct 10 01:19:08 pmg root[19723]: DEBUG:Total:             files - 1, objects 4
Oct 10 01:19:08 pmg root[19723]: DEBUG:Detected:          files - 1, objects 1
Oct 10 01:19:08 pmg root[19723]: DEBUG:Cleaned:           files - 0, objects 0
Oct 10 01:19:08 pmg root[19723]: DEBUG:
Oct 10 01:19:08 pmg root[19723]: pmg-custom-check VIRUS: Eicar test file (Eset) /var/spool/pmg/active/100F9061622366CC830
 
Please try to take the eicar text and put into a txt attach , in my tests it was not able to find it.

Koby Peleg Hen
 
Last edited:
Hi !
I checked the code now ... :)
The installed package is Eset "efs"
Downloaded efs.x86_64.bin (decompressed efs-8.1.685.0.x86_64.deb)

on ESET 8.X /opt/eset/efs/sbin/cls/cls -v
/opt/eset/efs/sbin/cls/cls 1.1.1.0

Why are you using /opt/eset/efs/bin/odscan and not cls?

at moment working with ESET 8.X ...

Oct 12 19:16:36 pmg1 root[770149]: pmg-custom-check VIRUS: Eicar test file (Eset) /var/spool/pmg/active/A0AC56165C2EFDE41D
Oct 12 19:16:36 pmg1 root[770149]: DEBUG:name="/var/spool/pmg/active/A0AC56165C2EFDE41D", result="Eicar test file", action="retained", info=""
Oct 12 19:16:36 pmg1 root[770149]: DEBUG:name="/var/spool/pmg/active/A0AC56165C2EFDE41D >> MIME >> eicar.com", result="Eicar test file", action="retained", info=""

For Testing:
https://www.heise.de/security/dienste/Emailcheck-2109.html

Cheers
 
Last edited:
  • Like
Reactions: valshare
hello,

thank you for your great work

We have a corporate eset license and I tried to get it to run with current versions

I installed a Test PMG 7.0-8

installed era agent via server push -> worked
installed era antivirus for business 4.x -> failed due to some missing dependencies
found out antivirus for business goes out of support

downloaded endpoint security from https://www.eset.com/de/business/download/endpoint-antivirus-linux/

installed via apt-get
worked
activated from era server

found /opt/eset/eea/bin/odscan as on demand scanner

found out syntax for use is
/opt/eset/eea/bin/odscan -s --profile="@In-depth scan" /bin/eicarexample

gives no result but deletes file or if clean, file is untouched...


changed code like:

Code:
#!/usr/bin/perl -w
use strict;
use warnings;
use Data::Dumper qw(Dumper);
use File::Copy "cp";

my $av_name    = "Eset";
my $av_version = "0.0";

## V4.X
my $esets_bin = "/opt/eset/esets/sbin/esets_scan";
my $esets_arg = "--clean-mode=none";

## V7.X
my $efs_bin  = "/opt/eset/efs/sbin/cls/cls";
my $efs_arg  = "--clean-mode=none";
my $efs_bdir = "--base-dir=/var/opt/eset/efs/lib";

## V8.X
my $eea_bin  = "/opt/eset/eea/bin/odscan";
my $eea_arg  = "-s";
my $eea_profile = '--profile=@In-depth scan';

## logger to /var/log/syslog
my $logger_bin = "/usr/bin/logger";
my $logger_arg = "-i";

## debug files under ...
my $debug     = 1;
my $debug_dir = "/tmp/debug/";

## block passwd-protected / damaged archive ?
my $strict = 0;
mkdir $debug_dir;
my $cmd;

open( my $logger, "| $logger_bin $logger_arg " );

$av_version = "4.X" if ( -e $esets_bin );
$av_version = "7.X" if ( -e $efs_bin );
$av_version = "8.X" if ( -e $eea_bin );

my $apiversion = shift || die 'APIVERSION required.';
my $filename   = shift || die 'QUEUEFILENAME required.';

die "Wrong AV Version."   if ( $av_version eq "0.0" );
die "Wrong API Version."  if ( $apiversion ne "v1" );
die "FILENAME not found." if ( !-e $filename );
if ( $av_version eq "4.X" ) { open( $cmd, '-|', $esets_bin, $esets_arg, $filename ) || die "can't exec esets scan: $! : ERROR"; }
if ( $av_version eq "7.X" ) { open( $cmd, '-|', $efs_bin, $efs_bdir, $efs_arg, $filename ) || die "can't exec esets scan: $! : ERROR"; }
if ( $av_version eq "8.X" ) { open( $cmd, '-|', $eea_bin, $eea_arg, $eea_profile, $filename ) || die "can't exec esets scan: $! : ERROR"; }

my $vinfo = "OK";

while ( defined( my $line = <$cmd> ) ) {
    chomp $line;


    print $logger "DEBUG:" . $line, "\n" if ( $debug > 0 );
    $line =~ s/result=/threat=/g if ( $av_version eq "7.X" );
    if ( $line =~ m/^name=\"(.*)\".*threat=\"(.*)\".*action=\"(.*)\".*info=\"(.*)\"$/ ) {
        next if ( ( $strict < 1 ) && ( $4 =~ m/password-protected/g || $4 =~ m/archive damaged/g ) );
        $vinfo = "VIRUS: " . $2 . " " . $4 . "($av_name)";
        next if $2;

        print $logger "DEBUG: " . $vinfo, "\n" if ( $debug > 0 );
    }
}
cp( $filename, $debug_dir )
  if ( $vinfo ne "OK" && not -e $debug_dir . $filename && $debug > 1 );
print join( "\n", "v1", $vinfo );
print $logger join( " ", "pmg-custom-check", $vinfo, $filename ) . "\n" if ( $debug > 0 );
close($logger);
exit 0;

after some trial (because of the @in profile name)and error I get no message anymore in syslog

but testmail with eicar test virusses passes the system

any suggestions?

Dirk
Yes... use cls and not odscan ...
odscan work at dirs level, not with filenames ...
 
Last edited:
  • Like
Reactions: valshare
ok, found my problem. I must exclude the tmp path or the script can't scan the attachment because eset realtime scan has removed the eicar testfile and you will the follow message in the log:
Code:
 pmg-smtp-filter[1478]: unable to open file '/tmp/.proxdump_1478_100FA16166F889D9761/eicar-1.com' - Operation not permitted at /usr/share/perl5/PMG/Utils.pm line 554.

the exclude the tmp path go to Eset Admin Webgui:
Setup --> Detection Engine --> Exclusions --> Performance exclusions --> Exclude Path = /tmp/*
 
Hi !
I checked the code now ... :)
The installed package is Eset "efs"
Downloaded efs.x86_64.bin (decompressed efs-8.1.685.0.x86_64.deb)

on ESET 8.X /opt/eset/efs/sbin/cls/cls -v
/opt/eset/efs/sbin/cls/cls 1.1.1.0

Why are you using /opt/eset/efs/bin/odscan and not cls?

at moment working with ESET 8.X ...

Oct 12 19:16:36 pmg1 root[770149]: pmg-custom-check VIRUS: Eicar test file (Eset) /var/spool/pmg/active/A0AC56165C2EFDE41D
Oct 12 19:16:36 pmg1 root[770149]: DEBUG:name="/var/spool/pmg/active/A0AC56165C2EFDE41D", result="Eicar test file", action="retained", info=""
Oct 12 19:16:36 pmg1 root[770149]: DEBUG:name="/var/spool/pmg/active/A0AC56165C2EFDE41D >> MIME >> eicar.com", result="Eicar test file", action="retained", info=""

For Testing:
https://www.heise.de/security/dienste/Emailcheck-2109.html

Cheers
Hello,

i am using the script also since some month and it is working fine - I THOUGHT!!!

some viruses are detected by Clam, some by eset but I noticed some viruses are passed also to the clients and the eset outlook scanner is detecting them!

How can the virus pass through the script, the detection engine between the server and the client is the same.

Catched an contaminated eml file and passing it through with SMTP Diag Tool:

Code:
Nov 23 14:38:01 mx02 root[568811]: DEBUG:
Nov 23 14:38:01 mx02 root[568811]: DEBUG:ECLS Command-line scanner, version 1.1.1.0, Copyright © 1992-2021 ESET, spol. s r. o. All rights reserved.
Nov 23 14:38:01 mx02 root[568811]: DEBUG:Module loader, version 1077 (20200622), build 1140
Nov 23 14:38:01 mx02 root[568811]: DEBUG:Module perseus, version 1581.3 (20211015), build 2251
Nov 23 14:38:01 mx02 root[568811]: DEBUG:Module scanner, version 24338 (20211123), build 51592
Nov 23 14:38:01 mx02 root[568811]: DEBUG:Module archiver, version 1324 (20211011), build 1394
Nov 23 14:38:01 mx02 root[568811]: DEBUG:Module advheur, version 1211.1 (20211105), build 1215
Nov 23 14:38:01 mx02 root[568811]: DEBUG:
Nov 23 14:38:01 mx02 root[568811]: DEBUG:Command line: --base-dir=/var/opt/eset/efs/lib --clean-mode=none /var/spool/pmg/active/2A184C619CEEB336470
Nov 23 14:38:01 mx02 root[568811]: DEBUG:
Nov 23 14:38:01 mx02 root[568811]: DEBUG:Scan started at:   Tue Nov 23 14:38:00 2021
Nov 23 14:38:01 mx02 root[568811]: DEBUG:
Nov 23 14:38:01 mx02 root[568811]: DEBUG:Scan completed at: Tue Nov 23 14:38:01 2021
Nov 23 14:38:01 mx02 root[568811]: DEBUG:Scan time:         1 sec (0:00:01)
Nov 23 14:38:01 mx02 root[568811]: DEBUG:Total:             files - 1, objects 10
Nov 23 14:38:01 mx02 root[568811]: DEBUG:Detected:          files - 0, objects 0
Nov 23 14:38:01 mx02 root[568811]: DEBUG:Cleaned:           files - 0, objects 0
Nov 23 14:38:01 mx02 root[568811]: DEBUG:
Nov 23 14:38:01 mx02 root[568811]: pmg-custom-check OK /var/spool/pmg/active/2A18xxxxxxxxx6470

File comes to my outlook - my eset endpoint security immediately detects this virus.

Code:
root@mx01:~# /opt/eset/efs/sbin/cls/cls -v
/opt/eset/efs/sbin/cls/cls 1.1.1.0
root@mx01:~#

my pmg custom checks:
Code:
#!/usr/bin/perl -w
use strict;
use warnings;
use Data::Dumper qw(Dumper);
use File::Copy "cp";

my $av_name    = "Eset";
my $av_version = "0.0";

## V4.X
my $esets_bin = "/opt/eset/esets/sbin/esets_scan";
my $esets_arg = "--clean-mode=none";

## V7.X
my $efs_bin  = "/opt/eset/efs/sbin/cls/cls";
my $efs_arg  = "--clean-mode=none";
my $efs_bdir = "--base-dir=/var/opt/eset/efs/lib";


## logger to /var/log/syslog
my $logger_bin = "/usr/bin/logger";
my $logger_arg = "-i";

## debug files under ...
my $debug     = 1;
my $debug_dir = "/tmp/debug/";

## block passwd-protected / damaged archive ?
my $strict = 0;
mkdir $debug_dir;
my $cmd;

open( my $logger, "| $logger_bin $logger_arg " );

$av_version = "4.X" if ( -e $esets_bin );
$av_version = "7.X" if ( -e $efs_bin );

my $apiversion = shift || die 'APIVERSION required.';
my $filename   = shift || die 'QUEUEFILENAME required.';

die "Wrong AV Version."   if ( $av_version eq "0.0" );
die "Wrong API Version."  if ( $apiversion ne "v1" );
die "FILENAME not found." if ( !-e $filename );
if ( $av_version eq "4.X" ) { open( $cmd, '-|', $esets_bin, $esets_arg, $filename ) || die "can't exec esets scan: $! : ERROR"; }
if ( $av_version eq "7.X" ) { open( $cmd, '-|', $efs_bin, $efs_bdir, $efs_arg, $filename ) || die "can't exec esets scan: $! : ERROR"; }

my $vinfo = "OK";

while ( defined( my $line = <$cmd> ) ) {
    chomp $line;

    print $logger "DEBUG:" . $line, "\n" if ( $debug > 0 );
    $line =~ s/result=/threat=/g if ( $av_version eq "7.X" );
    if ( $line =~ m/^name=\"(.*)\".*threat=\"(.*)\".*action=\"(.*)\".*info=\"(.*)\"$/ ) {
        next if ( ( $strict < 1 ) && ( $4 =~ m/password-protected/g || $4 =~ m/archive damaged/g ) );
        $vinfo = "VIRUS: " . $2 . " " . $4 . "($av_name)";
        next if $2;

        print $logger "DEBUG: " . $vinfo, "\n" if ( $debug > 0 );
    }
}
cp( $filename, $debug_dir )
  if ( $vinfo ne "OK" && not -e $debug_dir . $filename && $debug > 1 );
print join( "\n", "v1", $vinfo );
print $logger join( " ", "pmg-custom-check", $vinfo, $filename ) . "\n" if ( $debug > 0 );
close($logger);
exit 0;

I have no idea what is wrong

Thx

Dirk


edit:

a manual scan of the eml file:

Code:
root@mx01:/tmp/debug# /opt/eset/efs/sbin/cls/cls --clean-mode=none /tmp/C0Rxxxxxxx925.eml

ECLS Command-line scanner, version 1.1.1.0, Copyright © 1992-2021 ESET, spol. s r. o. All rights reserved.
Module loader, version 1077 (20200622), build 1140
Module perseus, version 1581.3 (20211015), build 2251
Module scanner, version 24339 (20211123), build 51594
Module archiver, version 1324 (20211011), build 1394
Module advheur, version 1211.2 (20211118), build 1218

Command line: --clean-mode=none /tmp/C0R84301T61018925.eml

Scan started at:   Tue Nov 23 14:52:51 2021
name="/tmp/C0R84301T61018925.eml", result="a variant of Generik.DCZCEEP trojan", action="retained", info=""
name="/tmp/C0R84301T61018925.eml >> MIME >> Arrival Notice, CIA Awb Inv Form.pdf.img", result="a variant of Generik.DCZCEEP trojan", action="retained", info=""
name="/tmp/C0R84301T61018925.eml >> MIME >> Arrival Notice, CIA Awb Inv Form.pdf.img >> ISO >> Arrival Notice, CIA Awb Inv Form.pdf.exe", result="a variant of Generik.DCZCEEP trojan", action="retained", info=""

Scan completed at: Tue Nov 23 14:52:51 2021
Scan time:         0 sec (0:00:00)
Total:             files - 1, objects 6
Detected:          files - 1, objects 1
Cleaned:           files - 0, objects 0

root@mx01:/tmp/debug#
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!