[SOLVED] virus detected but send

[andreasallee3]

This is a big problem. clamav detects a virus, but the email is send thru. Also there is no way to block a archive that could not be unpacked.

Here is the log (i changed some names and ipadresses for privacy reasons):

Mar 17 16:35:28 pmg postfix/smtpd[109597]: connect from mout.kundenserver.de[212.227.17.24]
Mar 17 16:35:28 pmg postfix/smtpd[109597]: NOQUEUE: client=mout.kundenserver.de[212.227.17.24]
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: new mail message-id=<kcis.53709C30E7FA43B786E8135D89DA46BD@mymail>#012
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: virus detected: Heuristics.Encrypted.Zip (clamav)
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: found archive 'AWLAmmonitore speciale BIMU-1.eml' (message/rfc822)
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: unpack failed - child '110656' failed: 512
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: unpack archive 'AWLAmmonitore speciale BIMU-1.eml' done (44 ms)
Mar 17 16:35:31 pmg pmg-smtp-filter[109598]: 14B56623355402F876: SA score=4/5 time=3.213 bayes=undefined autolearn=no autolearn_force=no hits=ClamAVHeuristics(3),AWL(-0.070),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),KAM_NUMSUBJECT(0.5),MIME_HTML_ONLY(0.1),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),SPF_NONE(0.001),T_SCC_BODY_TEXT_LINE(-0.01),XPRIO(0.167)
Mar 17 16:35:31 pmg postfix/smtpd[109052]: connect from localhost[127.0.0.1]
Mar 17 16:35:31 pmg postfix/smtpd[109052]: 85DB014B5F: client=localhost[127.0.0.1], orig_client=mout.kundenserver.de[212.227.17.24]
Mar 17 16:35:31 pmg postfix/cleanup[109053]: 85DB014B5F: message-id=<kcis.53709C30E7FA43B786E8135D89DA46BD@mymail>
Mar 17 16:35:31 pmg postfix/qmgr[108144]: 85DB014B5F: from=<myemail@sender.de>, size=55632, nrcpt=1 (queue active)
Mar 17 16:35:31 pmg postfix/smtpd[109052]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Mar 17 16:35:31 pmg pmg-smtp-filter[109598]: 14B56623355402F876: accept mail to <myemail@receiver.de> (85DB014B5F) (rule: rule_possibleSpam (Level 2))
Mar 17 16:35:31 pmg pmg-smtp-filter[109598]: 14B56623355402F876: processing time: 3.358 seconds (3.213, 0.027, 0)
Mar 17 16:35:31 pmg postfix/smtpd[109597]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (14B56623355402F876); from=<myemail@sender.de> to=<myemail@receiver.de> proto=ESMTP helo=<mout.kundenserver.de>
Mar 17 16:35:31 pmg postfix/smtp[109054]: 85DB014B5F: to=<myemail@receiver.de>, relay=0.0.0.10[0.0.0.10]:25, delay=0.04, delays=0.01/0/0/0.03, dsn=2.0.0, status=sent (250 Message accepted for delivery)
Mar 17 16:35:31 pmg postfix/qmgr[108144]: 85DB014B5F: removed
Mar 17 16:35:31 pmg postfix/smtpd[109597]: disconnect from mout.kundenserver.de[212.227.17.24] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

 

[hata_ph]

Is your virus mail rule higher priority than rule_possibleSpam (Level 2)?

 

[andreasallee3]

yes it is...

prio 95 block viruses
prio 80 possible spam

 

[hata_ph]

show detail of your block viruses rule.

 

[andreasallee3]

it is the standard:

 

[hata_ph]

Is the virus a password protected zip file?
Did you enable block encrypted archivces and document?

 

[andreasallee3]

These are our settings:


I can open the zip file on a computer without problems and it is not password protected. Inside the zip there is a xlsm without special characters in the name....

:-|

 

[pietroaretino]

Hey just want to include that I too have received this:

Mar 17 15:59:11 mailgate postfix/smtpd[1005394]: connect from vps-5730229.nextfranquias.com.br[162.214.174.112]
Mar 17 15:59:12 mailgate postfix/smtpd[1005394]: Anonymous TLS connection established from vps-5730229.nextfranquias.com.br[162.214.174.112]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 17 15:59:12 mailgate postfix/smtpd[1005394]: EEF10E1178: client=vps-5730229.nextfranquias.com.br[162.214.174.112]
Mar 17 15:59:13 mailgate postfix/cleanup[1005779]: EEF10E1178: message-id=<>
Mar 17 15:59:13 mailgate postfix/qmgr[790]: EEF10E1178: from=<obrassjb@saojosedobarreiro.sp.gov.br>, size=27985, nrcpt=1 (queue active)
Mar 17 15:59:13 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: new mail message-id=
Mar 17 15:59:13 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: virus detected: Heuristics.Encrypted.Zip (clamav)
Mar 17 15:59:13 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: found archive '7861_17032022-1.zip' (application/zip)
Mar 17 15:59:13 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: unpack failed - child '1005906' failed: 512
Mar 17 15:59:13 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: unpack archive '7861_17032022-1.zip' done (45 ms)
Mar 17 15:59:13 mailgate postfix/smtpd[1005394]: disconnect from vps-5730229.nextfranquias.com.br[162.214.174.112] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Mar 17 15:59:15 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: SA score=3/5 time=1.967 bayes=0.00 autolearn=no autolearn_force=no hits=ClamAVHeuristics(3),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),HTML_MESSAGE(0.001),KAM_QUITE_BAD_DNSWL(3.25),MIME_HTML_ONLY(0.1),MISSING_MID(0.497),NAME_EMAIL_DIFF(2.701),RCVD_IN_BL_SPAMCOP_NET(1.347),RCVD_IN_DNSWL_HI(-5),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_BLOCKED(0.001)
Mar 17 15:59:15 mailgate postfix/smtpd[1005786]: connect from localhost.localdomain[127.0.0.1]
Mar 17 15:59:15 mailgate postfix/smtpd[1005786]: 64F34E1196: client=localhost.localdomain[127.0.0.1], orig_client=vps-5730229.nextfranquias.com.br[162.214.174.112]
Mar 17 15:59:15 mailgate postfix/cleanup[1005567]: 64F34E1196: message-id=<20220317145915.64F34E1196@myserver.domain.com>
Mar 17 15:59:15 mailgate postfix/qmgr[790]: 64F34E1196: from=<obrassjb@saojosedobarreiro.sp.gov.br>, size=29585, nrcpt=1 (queue active)
Mar 17 15:59:15 mailgate postfix/smtpd[1005786]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Mar 17 15:59:15 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: accept mail to <my.user@domain.com> (64F34E1196) (rule: default-accept)
Mar 17 15:59:15 mailgate pmg-smtp-filter[1005895]: 12079D62334CC14BBC2: processing time: 2.152 seconds (1.967, 0.036, 0)
Mar 17 15:59:15 mailgate postfix/lmtp[1005767]: EEF10E1178: to=<my.user@domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=3, delays=0.83/0/0/2.2, dsn=2.5.0, status=sent (250 2.5.0 OK (12079D62334CC14BBC2))
Mar 17 15:59:15 mailgate postfix/qmgr[790]: EEF10E1178: removed
Mar 17 15:59:15 mailgate postfix/smtp[1005901]: Trusted TLS connection established to 192.168.1.80[192.168.1.80]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Mar 17 15:59:16 mailgate postfix/smtp[1005901]: 64F34E1196: to=<my.user@domain.com>, relay=192.168.1.80[192.168.1.80]:25, delay=1.1, delays=0.05/0/0.06/1, dsn=2.6.0, status=sent (250 2.6.0 <20220317145915.64F34E1196@myserver.domain.com> [InternalId=73864847556823, Hostname=srvex2013.domain.com] Queued mail for delivery)
Mar 17 15:59:16 mailgate postfix/qmgr[790]: 64F34E1196: removed

'
Are your logs similar? @hata_ph

 

[hata_ph]

What is your Heuristic Score?
Refer to thread (https://forum.proxmox.com/threads/spam-filter.74719/) regarding clamav heuristic score and encrypted archives.

 

[pietroaretino]

What is your Heuristic Score?
Refer to thread (https://forum.proxmox.com/threads/spam-filter.74719/) regarding clamav heuristic score and encrypted archives.

View attachment 35274

Mine was set to 3.
I have since increased it to 5. I will update this thread in hopes that it also benefits OP.

 

[andreasallee3]

Also 3... should we switch to 5?

Thank you for helping

 

[andreasallee3]

switched to 5, but it does not change the behaviour...

 

[hata_ph]

switched to 5, but it does not change the behaviour...

Pls show your syslog from tracking center.
As you can see it will add 5 heuristic score to spamassassin score and hit my quarantine level 5 spam rule.

Mar 18 15:35:12 pmg postfix/smtpd[115503]: connect from mail.superns.com[218.208.91.110]
Mar 18 15:35:12 pmg postfix/smtpd[115503]: NOQUEUE: client=mail.superns.com[218.208.91.110]
Mar 18 15:35:12 pmg pmg-smtp-filter[116247]: 40AA762343630D7ECF: new mail message-id=
Mar 18 15:35:12 pmg pmg-smtp-filter[116247]: 40AA762343630D7ECF: virus detected: Heuristics.Encrypted.Zip (clamav)
Mar 18 15:35:12 pmg pmg-smtp-filter[116247]: 40AA762343630D7ECF: SA score=5/5 time=0.000 bayes=undefined autolearn=no hits=ClamAVHeuristics(5)
Mar 18 15:35:12 pmg pmg-smtp-filter[116247]: 40AA762343630D7ECF: notify <admin@mydomain.com> (rule: Quarantine/Mark Incoming Spam (Level 5), E1F6B40ADE)
Mar 18 15:35:12 pmg pmg-smtp-filter[116247]: 40AA762343630D7ECF: moved mail for <user@mydomain.com> to spam quarantine - 40B1062343630E3C5B (rule: Quarantine Suspicious From/Sender)
Mar 18 15:35:12 pmg pmg-smtp-filter[116247]: 40AA762343630D7ECF: processing time: 0.051 seconds (0, 0.016, 0)
Mar 18 15:35:12 pmg postfix/smtpd[115503]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (40AA762343630D7ECF); from=<vrodriguez@alegrahomes.com> to=<user@mydomain.com> proto=ESMTP helo=<mail.superns.com>
Mar 18 15:35:12 pmg postfix/smtpd[115503]: disconnect from mail.superns.com[218.208.91.110] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

 

[andreasallee3]

Ich denke es ist ein Problem, wenn ein Archiv nicht entpackt werden kann.
Denn auch, wenn ich "Blockiere verschlüsselte..." deaktiviere, dann kann pmg die Datei nicht entpacken und die Zip mit dem Excelmacro geht durch. Auf einem PC kann ich die Die Datei aber ohne Probleme entpacken und den Inhalt ausführen. Die Zip Datei hat kein Passwort! Die Email landet zwar in Quarantäne, aber das ist nicht die Lösung, wenn eine Zip nicht entpackt werden kann.

Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: virus detected: Heuristics.Encrypted.Zip (clamav)
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: found archive 'AWLAmmonitore speciale BIMU-1.eml' (message/rfc822)
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: unpack failed - child '110656' failed: 512
Mar 17 16:35:28 pmg pmg-smtp-filter[109598]: 14B56623355402F876: unpack archive 'AWLAmmonitore speciale BIMU-1.eml' done (44 ms)

 

[andreasallee3]

Keine eine Idee woran das liegt?

 

[hata_ph]

Pls write in English as I do not understand what you are saying.
Pls show what is the SA score of the spam mail.

 

[andreasallee3]

I think it's a problem when an archive can't be unpacked.

Because even if I deactivate "Block encrypted...", then pmg cannot unpack the file and the zip with the Excel macro goes through.
On a PC, however, I can unzip the file and run the content without any problems.
The zip file has no password!
The email ends up in quarantine, but this is not the solution if a zip cannot be extracted.

Heres a fresh test.
Accept encrypted zip.

Filter excelmacros:


This is the file inside the zip that the pmg was not able to unpack, but my computer does:

Mar 21 14:05:15 hanpmg postfix/smtpd[8299]: connect from mout.kundenserver.de[212.227.126.133]
Mar 21 14:05:15 hanpmg postfix/smtpd[8299]: Anonymous TLS connection established from mout.kundenserver.de[212.227.126.133]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256
Mar 21 14:05:16 hanpmg postfix/smtpd[8299]: NOQUEUE: client=mout.kundenserver.de[212.227.126.133]
Mar 21 14:05:16 hanpmg pmg-smtp-filter[7914]: 2E6356238780C3D578: found archive 'gescanntes-Dokument 2022-1.17.03_1321.zip' (application/zip)
Mar 21 14:05:16 hanpmg pmg-smtp-filter[7914]: 2E6356238780C3D578: unpack failed - child '8308' failed: 512
Mar 21 14:05:16 hanpmg pmg-smtp-filter[7914]: 2E6356238780C3D578: unpack archive 'gescanntes-Dokument 2022-1.17.03_1321.zip' done (84 ms)
Mar 21 14:05:17 hanpmg pmg-smtp-filter[7914]: 2E6356238780C3D578: SA score=1/5 time=0.750 bayes=undefined autolearn=no autolearn_force=no hits=AWL(0.178),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),KAM_NUMSUBJECT(0.5),MIME_HTML_ONLY(0.1),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H3(-0.01),RCVD_IN_MSPIKE_WL(-0.01),SPF_HELO_NONE(0.001),SPF_NONE(0.001),T_SCC_BODY_TEXT_LINE(-0.01)
Mar 21 14:05:17 hanpmg postfix/smtpd[7911]: connect from localhost[127.0.0.1]
Mar 21 14:05:17 hanpmg postfix/smtpd[7911]: 2ABF92E5FC: client=localhost[127.0.0.1], orig_client=mout.kundenserver.de[212.227.126.133]
Mar 21 14:05:17 hanpmg postfix/cleanup[7912]: 2ABF92E5FC: message-id=<kcis.193B3591198D4610922BA344C9FC4E82@wMailEins>
Mar 21 14:05:17 hanpmg postfix/qmgr[448]: 2ABF92E5FC: from=<.de>, size=29815, nrcpt=1 (queue active)
Mar 21 14:05:17 hanpmg postfix/smtpd[7911]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Mar 21 14:05:17 hanpmg pmg-smtp-filter[7914]: 2E6356238780C3D578: accept mail to <.com> (2ABF92E5FC) (rule: default-accept)
Mar 21 14:05:17 hanpmg pmg-smtp-filter[7914]: 2E6356238780C3D578: processing time: 0.973 seconds (0.75, 0.037, 0)
Mar 21 14:05:17 hanpmg postfix/smtpd[8299]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (2E6356238780C3D578); from=<de> to=<.com> proto=ESMTP helo=<mout.kundenserver.de>
Mar 21 14:05:17 hanpmg postfix/smtpd[8299]: disconnect from mout.kundenserver.de[212.227.126.133] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Mar 21 14:05:17 hanpmg postfix/smtp[7913]: 2ABF92E5FC: to=<.com>, relay=172.17.201.10[172.17.201.10]:25, delay=0.1, delays=0.05/0/0.01/0.04, dsn=2.0.0, status=sent (250 Message accepted for delivery)
Mar 21 14:05:17 hanpmg postfix/qmgr[448]: 2ABF92E5FC: removed

 

[hata_ph]

Pls attach the zip file for checking.

 

[andreasallee3]

sure

 

[hata_ph]

pls provide the password.