[SOLVED] virus detected but send

andreasallee3

New Member
Mar 17, 2022
11
0
1
48
This is a big problem. clamav detects a virus, but the email is send thru. Also there is no way to block a archive that could not be unpacked.

Here is the log (i changed some names and ipadresses for privacy reasons):

Mar 17 16:35:28 pmg postfix/smtpd[109597]: connect from mout.kundenserver.de[212.227.17.24]
Mar 17 16:35:28 pmg postfix/smtpd[109597]: NOQUEUE: client=mout.kundenserver.de[212.227.17.24]
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: new mail message-id=<kcis.53709C30E7FA43B786E8135D89DA46BD@mymail>#012
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: virus detected: Heuristics.Encrypted.Zip (clamav)
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: found archive 'AWLAmmonitore speciale BIMU-1.eml' (message/rfc822)
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: unpack failed - child '110656' failed: 512
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: unpack archive 'AWLAmmonitore speciale BIMU-1.eml' done (44 ms)
Mar 17 16:35:31 pmg pmg-smtp-filter[109598]: 14B56623355402F876: SA score=4/5 time=3.213 bayes=undefined autolearn=no autolearn_force=no hits=ClamAVHeuristics(3),AWL(-0.070),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),KAM_NUMSUBJECT(0.5),MIME_HTML_ONLY(0.1),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),SPF_NONE(0.001),T_SCC_BODY_TEXT_LINE(-0.01),XPRIO(0.167)
Mar 17 16:35:31 pmg postfix/smtpd[109052]: connect from localhost[127.0.0.1]
Mar 17 16:35:31 pmg postfix/smtpd[109052]: 85DB014B5F: client=localhost[127.0.0.1], orig_client=mout.kundenserver.de[212.227.17.24]
Mar 17 16:35:31 pmg postfix/cleanup[109053]: 85DB014B5F: message-id=<kcis.53709C30E7FA43B786E8135D89DA46BD@mymail>
Mar 17 16:35:31 pmg postfix/qmgr[108144]: 85DB014B5F: from=<myemail@sender.de>, size=55632, nrcpt=1 (queue active)
Mar 17 16:35:31 pmg postfix/smtpd[109052]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Mar 17 16:35:31 pmg pmg-smtp-filter[109598]: 14B56623355402F876: accept mail to <myemail@receiver.de> (85DB014B5F) (rule: rule_possibleSpam (Level 2))
Mar 17 16:35:31 pmg pmg-smtp-filter[109598]: 14B56623355402F876: processing time: 3.358 seconds (3.213, 0.027, 0)
Mar 17 16:35:31 pmg postfix/smtpd[109597]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (14B56623355402F876); from=<myemail@sender.de> to=<myemail@receiver.de> proto=ESMTP helo=<mout.kundenserver.de>
Mar 17 16:35:31 pmg postfix/smtp[109054]: 85DB014B5F: to=<myemail@receiver.de>, relay=0.0.0.10[0.0.0.10]:25, delay=0.04, delays=0.01/0/0/0.03, dsn=2.0.0, status=sent (250 Message accepted for delivery)
Mar 17 16:35:31 pmg postfix/qmgr[108144]: 85DB014B5F: removed
Mar 17 16:35:31 pmg postfix/smtpd[109597]: disconnect from mout.kundenserver.de[212.227.17.24] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
 

hata_ph

Well-Known Member
Nov 13, 2019
808
162
48
42
Is your virus mail rule higher priority than rule_possibleSpam (Level 2)?
 

hata_ph

Well-Known Member
Nov 13, 2019
808
162
48
42
Is the virus a password protected zip file?
Did you enable block encrypted archivces and document?

1647607168229.png
 

andreasallee3

New Member
Mar 17, 2022
11
0
1
48
These are our settings:
1647607337175.png

I can open the zip file on a computer without problems and it is not password protected. Inside the zip there is a xlsm without special characters in the name....

:-|
 

pietroaretino

Member
Nov 15, 2019
24
0
6
37
Hey just want to include that I too have received this:
Code:
Mar 17 15:59:11 mailgate postfix/smtpd[1005394]: connect from vps-5730229.nextfranquias.com.br[162.214.174.112]
Mar 17 15:59:12 mailgate postfix/smtpd[1005394]: Anonymous TLS connection established from vps-5730229.nextfranquias.com.br[162.214.174.112]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 17 15:59:12 mailgate postfix/smtpd[1005394]: EEF10E1178: client=vps-5730229.nextfranquias.com.br[162.214.174.112]
Mar 17 15:59:13 mailgate postfix/cleanup[1005779]: EEF10E1178: message-id=<>
Mar 17 15:59:13 mailgate postfix/qmgr[790]: EEF10E1178: from=<obrassjb@saojosedobarreiro.sp.gov.br>, size=27985, nrcpt=1 (queue active)
Mar 17 15:59:13 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: new mail message-id=
Mar 17 15:59:13 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: virus detected: Heuristics.Encrypted.Zip (clamav)
Mar 17 15:59:13 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: found archive '7861_17032022-1.zip' (application/zip)
Mar 17 15:59:13 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: unpack failed - child '1005906' failed: 512
Mar 17 15:59:13 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: unpack archive '7861_17032022-1.zip' done (45 ms)
Mar 17 15:59:13 mailgate postfix/smtpd[1005394]: disconnect from vps-5730229.nextfranquias.com.br[162.214.174.112] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Mar 17 15:59:15 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: SA score=3/5 time=1.967 bayes=0.00 autolearn=no autolearn_force=no hits=ClamAVHeuristics(3),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),HTML_MESSAGE(0.001),KAM_QUITE_BAD_DNSWL(3.25),MIME_HTML_ONLY(0.1),MISSING_MID(0.497),NAME_EMAIL_DIFF(2.701),RCVD_IN_BL_SPAMCOP_NET(1.347),RCVD_IN_DNSWL_HI(-5),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001)
Mar 17 15:59:15 mailgate postfix/smtpd[1005786]: connect from localhost.localdomain[127.0.0.1]
Mar 17 15:59:15 mailgate postfix/smtpd[1005786]: 64F34E1196: client=localhost.localdomain[127.0.0.1], orig_client=vps-5730229.nextfranquias.com.br[162.214.174.112]
Mar 17 15:59:15 mailgate postfix/cleanup[1005567]: 64F34E1196: message-id=<20220317145915.64F34E1196@myserver.domain.com>
Mar 17 15:59:15 mailgate postfix/qmgr[790]: 64F34E1196: from=<obrassjb@saojosedobarreiro.sp.gov.br>, size=29585, nrcpt=1 (queue active)
Mar 17 15:59:15 mailgate postfix/smtpd[1005786]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Mar 17 15:59:15 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: accept mail to <my.user@domain.com> (64F34E1196) (rule: default-accept)
Mar 17 15:59:15 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: processing time: 2.152 seconds (1.967, 0.036, 0)
Mar 17 15:59:15 mailgate postfix/lmtp[1005767]: EEF10E1178: to=<my.user@domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3, delays=0.83/0/0/2.2, dsn=2.5.0, status=sent (250 2.5.0 OK (12079D62334CC14BBC2))
Mar 17 15:59:15 mailgate postfix/qmgr[790]: EEF10E1178: removed
Mar 17 15:59:15 mailgate postfix/smtp[1005901]: Trusted TLS connection established to 192.168.1.80[192.168.1.80]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Mar 17 15:59:16 mailgate postfix/smtp[1005901]: 64F34E1196: to=<my.user@domain.com>, relay=192.168.1.80[192.168.1.80]:25, delay=1.1, delays=0.05/0/0.06/1, dsn=2.6.0, status=sent (250 2.6.0 <20220317145915.64F34E1196@myserver.domain.com> [InternalId=73864847556823, Hostname=srvex2013.domain.com] Queued mail for delivery)
Mar 17 15:59:16 mailgate postfix/qmgr[790]: 64F34E1196: removed
'
Are your logs similar? @hata_ph
 

hata_ph

Well-Known Member
Nov 13, 2019
808
162
48
42
switched to 5, but it does not change the behaviour... :confused:
Pls show your syslog from tracking center.
As you can see it will add 5 heuristic score to spamassassin score and hit my quarantine level 5 spam rule.

Code:
Mar 18 15:35:12 pmg postfix/smtpd[115503]: connect from mail.superns.com[218.208.91.110]
Mar 18 15:35:12 pmg postfix/smtpd[115503]: NOQUEUE: client=mail.superns.com[218.208.91.110]
Mar 18 15:35:12 pmg pmg-smtp-filter[116247]: 40AA762343630D7ECF: new mail message-id=
Mar 18 15:35:12 pmg pmg-smtp-filter[116247]: 40AA762343630D7ECF: virus detected: Heuristics.Encrypted.Zip (clamav)
Mar 18 15:35:12 pmg pmg-smtp-filter[116247]: 40AA762343630D7ECF: SA score=5/5 time=0.000 bayes=undefined autolearn=no hits=ClamAVHeuristics(5)
Mar 18 15:35:12 pmg pmg-smtp-filter[116247]: 40AA762343630D7ECF: notify <admin@mydomain.com> (rule: Quarantine/Mark Incoming Spam (Level 5), E1F6B40ADE)
Mar 18 15:35:12 pmg pmg-smtp-filter[116247]: 40AA762343630D7ECF: moved mail for <user@mydomain.com> to spam quarantine - 40B1062343630E3C5B (rule: Quarantine Suspicious From/Sender)
Mar 18 15:35:12 pmg pmg-smtp-filter[116247]: 40AA762343630D7ECF: processing time: 0.051 seconds (0, 0.016, 0)
Mar 18 15:35:12 pmg postfix/smtpd[115503]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (40AA762343630D7ECF); from=<vrodriguez@alegrahomes.com> to=<user@mydomain.com> proto=ESMTP helo=<mail.superns.com>
Mar 18 15:35:12 pmg postfix/smtpd[115503]: disconnect from mail.superns.com[218.208.91.110] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
 

andreasallee3

New Member
Mar 17, 2022
11
0
1
48
Ich denke es ist ein Problem, wenn ein Archiv nicht entpackt werden kann.
Denn auch, wenn ich "Blockiere verschlüsselte..." deaktiviere, dann kann pmg die Datei nicht entpacken und die Zip mit dem Excelmacro geht durch. Auf einem PC kann ich die Die Datei aber ohne Probleme entpacken und den Inhalt ausführen. Die Zip Datei hat kein Passwort! Die Email landet zwar in Quarantäne, aber das ist nicht die Lösung, wenn eine Zip nicht entpackt werden kann.

Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: virus detected: Heuristics.Encrypted.Zip (clamav)
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: found archive 'AWLAmmonitore speciale BIMU-1.eml' (message/rfc822)
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: unpack failed - child '110656' failed: 512
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: unpack archive 'AWLAmmonitore speciale BIMU-1.eml' done (44 ms)

:(
 
Last edited:

hata_ph

Well-Known Member
Nov 13, 2019
808
162
48
42
Pls write in English as I do not understand what you are saying.
Pls show what is the SA score of the spam mail.
 

andreasallee3

New Member
Mar 17, 2022
11
0
1
48
I think it's a problem when an archive can't be unpacked.

Because even if I deactivate "Block encrypted...", then pmg cannot unpack the file and the zip with the Excel macro goes through.
On a PC, however, I can unzip the file and run the content without any problems.
The zip file has no password!
The email ends up in quarantine, but this is not the solution if a zip cannot be extracted.

Heres a fresh test.
Accept encrypted zip.

Filter excelmacros:
1647868292542.png

This is the file inside the zip that the pmg was not able to unpack, but my computer does:
1647868404818.png

Mar 21 14:05:15 hanpmg postfix/smtpd[8299]: connect from mout.kundenserver.de[212.227.126.133]
Mar 21 14:05:15 hanpmg postfix/smtpd[8299]: Anonymous TLS connection established from mout.kundenserver.de[212.227.126.133]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256
Mar 21 14:05:16 hanpmg postfix/smtpd[8299]: NOQUEUE: client=mout.kundenserver.de[212.227.126.133]
Mar 21 14:05:16 hanpmg pmg-smtp-filter[7914]: 2E6356238780C3D578: found archive 'gescanntes-Dokument 2022-1.17.03_1321.zip' (application/zip)
Mar 21 14:05:16 hanpmg pmg-smtp-filter[7914]: 2E6356238780C3D578: unpack failed - child '8308' failed: 512
Mar 21 14:05:16 hanpmg pmg-smtp-filter[7914]: 2E6356238780C3D578: unpack archive 'gescanntes-Dokument 2022-1.17.03_1321.zip' done (84 ms)
Mar 21 14:05:17 hanpmg pmg-smtp-filter[7914]: 2E6356238780C3D578: SA score=1/5 time=0.750 bayes=undefined autolearn=no autolearn_force=no hits=AWL(0.178),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),KAM_NUMSUBJECT(0.5),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H3(-0.01),RCVD_IN_MSPIKE_WL(-0.01),SPF_HELO_NONE(0.001),SPF_NONE(0.001),T_SCC_BODY_TEXT_LINE(-0.01)
Mar 21 14:05:17 hanpmg postfix/smtpd[7911]: connect from localhost[127.0.0.1]
Mar 21 14:05:17 hanpmg postfix/smtpd[7911]: 2ABF92E5FC: client=localhost[127.0.0.1], orig_client=mout.kundenserver.de[212.227.126.133]
Mar 21 14:05:17 hanpmg postfix/cleanup[7912]: 2ABF92E5FC: message-id=<kcis.193B3591198D4610922BA344C9FC4E82@wMailEins>
Mar 21 14:05:17 hanpmg postfix/qmgr[448]: 2ABF92E5FC: from=<.de>, size=29815, nrcpt=1 (queue active)
Mar 21 14:05:17 hanpmg postfix/smtpd[7911]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Mar 21 14:05:17 hanpmg pmg-smtp-filter[7914]: 2E6356238780C3D578: accept mail to <.com> (2ABF92E5FC) (rule: default-accept)
Mar 21 14:05:17 hanpmg pmg-smtp-filter[7914]: 2E6356238780C3D578: processing time: 0.973 seconds (0.75, 0.037, 0)
Mar 21 14:05:17 hanpmg postfix/smtpd[8299]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (2E6356238780C3D578); from=<de> to=<.com> proto=ESMTP helo=<mout.kundenserver.de>
Mar 21 14:05:17 hanpmg postfix/smtpd[8299]: disconnect from mout.kundenserver.de[212.227.126.133] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Mar 21 14:05:17 hanpmg postfix/smtp[7913]: 2ABF92E5FC: to=<.com>, relay=172.17.201.10[172.17.201.10]:25, delay=0.1, delays=0.05/0/0.01/0.04, dsn=2.0.0, status=sent (250 Message accepted for delivery)
Mar 21 14:05:17 hanpmg postfix/qmgr[448]: 2ABF92E5FC: removed
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!