virus mail not avail on Tracking Center

koby

Renowned Member
Jun 21, 2012
138
4
83
Natanya , Israel
Hello guys ,
Please take a look at that ,
Mail that arrive to my systems , with virus (detected by Eset)
But not avail on the regular mailing list ==> Tracking Center.
Does anyone can advice.
Best Regards ,

Koby Peleg Hen

Code:
Jan 12 14:41:14 smg01 pmg-smtp-filter[24222]: 7E31B5FFD98E37582D: virus detected: a variant of Win32/TrojanDownloader.Delf.DCX trojan (Eset) (custom)

Jan 12 14:41:15 smg01 pmg-smtp-filter[24222]: 7E31B5FFD98E37582D: SA score=8/5 time=1.098 bayes=undefined autolearn=no autolearn_force=no hits=HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),KHOP_HELO_FCRDNS(0.398),MISSING_HEADERS(1.207),SPF_HELO_NONE(0.001),SPF_NONE(3),URIBL_BLOCKED(3)

Jan 12 14:41:15 smg01 postfix/smtpd[24106]: connect from localhost[127.0.0.1]

Jan 12 14:41:15 smg01 postfix/smtpd[24106]: 6E9E51FED8: client=localhost[127.0.0.1]

Jan 12 14:41:15 smg01 postfix/cleanup[24107]: 6E9E51FED8: message-id=<20210112124115.6E9E51FED8@smg01.localdomain>

Jan 12 14:41:15 smg01 postfix/qmgr[21050]: 6E9E51FED8: from=<postmaster@smg01.localdomain>, size=1688, nrcpt=1 (queue active)

Jan 12 14:41:15 smg01 postfix/smtpd[24106]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 commands=4

Jan 12 14:41:15 smg01 pmg-smtp-filter[24222]: 7E31B5FFD98E37582D: notify <koby@mksoft.co.il> (rule: 00 - OnViruses, 6E9E51FED8)

Jan 12 14:41:15 smg01 pmg-smtp-filter[24222]: ERROR: MIME::Body::File->open /tmp/.proxdump_24222_7E31B5FFD98E37582D/2021 New Price Vat.xz: No such file or directory at /usr/share/perl5/MIME/Body.pm line 435.

Jan 12 14:41:15 smg01 pmg-smtp-filter[24222]: 7E31B5FFD98E37582D: processing time: 7.975 seconds (1.098, 0, 6.018)

Jan 12 14:41:15 smg01 postfix/smtpd[24228]: proxy-reject: END-OF-MESSAGE: 451 4.4.0 detected undelivered mail (7E31B5FFD98E37582D); from=<kristin.b@asterch.com> to=<neomi.a@huberman.co.il> proto=ESMTP helo=<mail.asterch.com>

Jan 12 14:41:15 smg01 postfix/smtpd[24228]: disconnect from hwsrv-824003.hostwindsdns.com[108.174.196.58] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 commands=6/7

Jan 12 14:41:15 smg01 postfix/smtp[24146]: Trusted TLS connection established to mksoft-co-il.mail.protection.outlook.com[104.47.17.138]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 
Last edited:
The Tracking Center (actually the pmg-log-tracker binary) parses the system's /var/log/syslog files for a rather limited set of patterns (in order to stay fast and performant) - and PMG does not have an ESET integration - so not printing lines related to eset (apart from the answer from the custom script) is expected...

Jan 12 14:41:15 smg01 pmg-smtp-filter[24222]: ERROR: MIME::Body::File->open /tmp/.proxdump_24222_7E31B5FFD98E37582D/2021 New Price Vat.xz: No such file or directory at /usr/share/perl5/MIME/Body.pm line 435.
My guess (without being able to try it here is that ESET is configured in a way to delete infected files (and deletes the problematic '2021 New Price Vat.xz' - however pmg-smtp-filter still expects it to be in place when packing the mail up for quarantine.

maybe you can configure ESET to not delete infected files?

I hope this helps!
 
The Tracking Center (actually the pmg-log-tracker binary) parses the system's /var/log/syslog files for a rather limited set of patterns (in order to stay fast and performant) - and PMG does not have an ESET integration - so not printing lines related to eset (apart from the answer from the custom script) is expected...


My guess (without being able to try it here is that ESET is configured in a way to delete infected files (and deletes the problematic '2021 New Price Vat.xz' - however pmg-smtp-filter still expects it to be in place when packing the mail up for quarantine.

maybe you can configure ESET to not delete infected files?

I hope this helps!
Hello ,
The mail that avail on the original post was taken from the mail log.
It should have listed on the Tracking Center no meter what.
The Eset custom script did return "VIRUS" as needed and still no line on the tracking center.
My feeling say it is a bug because even if Eset set to delete the infected file , the line should still be there.
I must say that in other case , infected mail was on the virus quarantine as expected.
 
It should have listed on the Tracking Center no meter what.

could you provide the original syslog of the timeframe where the mail was received - so that we can try to see why it did not show up in the Tracker?
 
could you provide the original syslog of the timeframe where the mail was received - so that we can try to see why it did not show up in the Tracker?
Here It is.....
(The "DEBUG" part came from the Eset script)


Jan 12 14:41:14 smg01 root[24235]: DEBUG:name="/var/spool/pmg/active/7E31B5FFD98E37582D >> MIME >> 2021 New Price Vat.xz", result="a variant of Win32/TrojanDownloader.Delf.DCX trojan", action="retained", info=""
Jan 12 14:41:14 smg01 root[24235]: DEBUG:name="/var/spool/pmg/active/7E31B5FFD98E37582D >> MIME >> 2021 New Price Vat.xz >> WINRARSFX >> 2021 New Price Vat.scr", result="a variant of Win32/TrojanDownloader.Delf.DCX trojan", action="retained", info=""
Jan 12 14:41:14 smg01 root[24235]: DEBUG:
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Scan completed at: Tue Jan 12 14:41:14 2021
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Scan time: 0 sec (0:00:00)
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Total: files - 1, objects 6
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Detected: files - 1, objects 1
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Cleaned: files - 0, objects 0
Jan 12 14:41:14 smg01 root[24235]: DEBUG:
Jan 12 14:41:14 smg01 root[24235]: pmg-custom-check VIRUS: a variant of Win32/TrojanDownloader.Delf.DCX trojan (Eset) /var/spool/pmg/active/7E31B5FFD98E37582D
Jan 12 14:41:14 smg01 pmg-smtp-filter[24222]: 7E31B5FFD98E37582D: virus detected: a variant of Win32/TrojanDownloader.Delf.DCX trojan (Eset) (custom)
Jan 12 14:41:15 smg01 pmg-smtp-filter[24222]: 7E31B5FFD98E37582D: SA score=8/5 time=1.098 bayes=undefined autolearn=no autolearn_force=no hits=HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),KHOP_HELO_FCRDNS(0.398),MISSING_HEADERS(1.207),SPF_HELO_NONE(0.001),SPF_NONE(3),URIBL_BLOCKED(3)
Jan 12 14:41:15 smg01 postfix/smtpd[24106]: connect from localhost[127.0.0.1]
Jan 12 14:41:15 smg01 postfix/smtpd[24106]: 6E9E51FED8: client=localhost[127.0.0.1]
Jan 12 14:41:15 smg01 postfix/cleanup[24107]: 6E9E51FED8: message-id=<20210112124115.6E9E51FED8@smg01.localdomain>
Jan 12 14:41:15 smg01 postfix/qmgr[21050]: 6E9E51FED8: from=<postmaster@smg01.localdomain>, size=1688, nrcpt=1 (queue active)
Jan 12 14:41:15 smg01 postfix/smtpd[24106]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 commands=4
Jan 12 14:41:15 smg01 pmg-smtp-filter[24222]: 7E31B5FFD98E37582D: notify <koby@mksoft.co.il> (rule: 00 - OnViruses, 6E9E51FED8)
Jan 12 14:41:15 smg01 pmg-smtp-filter[24222]: ERROR: MIME::Body::File->open /tmp/.proxdump_24222_7E31B5FFD98E37582D/2021 New Price Vat.xz: No such file or directory at /usr/share/perl5/MIME/Body.pm line 435.
Jan 12 14:41:15 smg01 pmg-smtp-filter[24222]: 7E31B5FFD98E37582D: processing time: 7.975 seconds (1.098, 0, 6.018)
Jan 12 14:41:15 smg01 postfix/smtpd[24228]: proxy-reject: END-OF-MESSAGE: 451 4.4.0 detected undelivered mail (7E31B5FFD98E37582D); from=<kristin.b@asterch.com> to=<neomi.a@huberman.co.il> proto=ESMTP helo=<mail.asterch.com>
Jan 12 14:41:15 smg01 postfix/smtpd[24228]: disconnect from hwsrv-824003.hostwindsdns.com[108.174.196.58] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 commands=6/7
Jan 12 14:41:15 smg01 postfix/smtp[24146]: Trusted TLS connection established to mksoft-co-il.mail.protection.outlook.com[104.47.17.138]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 
the connection initiation (the first line from postscreen or postfix/smtp) and everything until the virusscan is missing - and these lines are used for the matching...

also please either attach them as textfile or inside code-tags - else it's quite a bit of work to demangle the automatic formatting from the forum
 
Hi ,
I copy it again and put in the code tag this time ,
I hope that will help you.
I did get more log this time


Code:
Jan 12 14:41:13 smg01 pmg-smtp-filter[24082]: 7E2FE5FFD98D9B9FCD: added disclaimer (rule: 07 - WhiteList - Neway1.co.il)
Jan 12 14:41:13 smg01 pmg-smtp-filter[24082]: 7E2FE5FFD98D9B9FCD: added disclaimer (rule: 07 - WhiteList - Neway1.co.il)
Jan 12 14:41:13 smg01 postfix/smtpd[23096]: connect from localhost[127.0.0.1]
Jan 12 14:41:13 smg01 postfix/smtpd[23096]: A52F31FED6: client=localhost[127.0.0.1], orig_client=mail-wm1-f47.google.com[209.85.128.47]
Jan 12 14:41:13 smg01 postfix/cleanup[23097]: A52F31FED6: message-id=<CAL7Uyma9Z1R3GirmUwB8m-DLG42z5tWWWm228Er1BSf-uv347Q@mail.gmail.com>
Jan 12 14:41:13 smg01 postfix/qmgr[21050]: 8995D1FED4: from=<sharon@priza.co.il>, size=192419, nrcpt=1 (queue active)
Jan 12 14:41:13 smg01 postfix/smtpd[24106]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jan 12 14:41:13 smg01 pmg-smtp-filter[24092]: 7E3005FFD98D9BB9D5: accept mail to <mor@neway1.co.il> (8995D1FED4) (rule: 07 - WhiteList - Neway1.co.il)
Jan 12 14:41:13 smg01 pmg-smtp-filter[24092]: 7E3005FFD98D9BB9D5: processing time: 15.911 seconds (4.62, 0.045, 10.932)
Jan 12 14:41:13 smg01 postfix/smtpd[23535]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (7E3005FFD98D9BB9D5); from=<sharon@priza.co.il> to=<mor@neway1.co.il> proto=ESMTP helo=<mail-wm1-f54.google.com>
Jan 12 14:41:13 smg01 postfix/smtpd[23535]: disconnect from mail-wm1-f54.google.com[209.85.128.54] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=2 quit=1 commands=8
Jan 12 14:41:13 smg01 postfix/qmgr[21050]: A52F31FED6: from=<sharon@priza.co.il>, size=192427, nrcpt=1 (queue active)
Jan 12 14:41:13 smg01 postfix/smtpd[23096]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jan 12 14:41:13 smg01 pmg-smtp-filter[24082]: 7E2FE5FFD98D9B9FCD: accept mail to <salary@neway1.co.il> (A52F31FED6) (rule: 07 - WhiteList - Neway1.co.il)
Jan 12 14:41:13 smg01 pmg-smtp-filter[24082]: 7E2FE5FFD98D9B9FCD: processing time: 16.024 seconds (4.586, 0.051, 11.038)
Jan 12 14:41:13 smg01 postfix/smtpd[23718]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (7E2FE5FFD98D9B9FCD); from=<sharon@priza.co.il> to=<salary@neway1.co.il> proto=ESMTP helo=<mail-wm1-f47.google.com>
Jan 12 14:41:13 smg01 postfix/smtpd[23718]: disconnect from mail-wm1-f47.google.com[209.85.128.47] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=2 quit=1 commands=8
Jan 12 14:41:14 smg01 root[24235]: DEBUG:
Jan 12 14:41:14 smg01 root[24235]: DEBUG:ECLS Command-line scanner, version 1.1.1.0, Copyright © 1992-2020 ESET, spol. s r. o. All rights reserved.
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Module loader, version 1076 (20200313), build 1138
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Module perseus, version 1568.2 (20201214), build 2169
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Module scanner, version 22631 (20210112), build 48106
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Module archiver, version 1312 (20201223), build 1358
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Module advheur, version 1205 (20201209), build 1199
Jan 12 14:41:14 smg01 root[24235]: DEBUG:
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Command line: --base-dir=/var/opt/eset/efs/lib --clean-mode=none /var/spool/pmg/active/7E31B5FFD98E37582D
Jan 12 14:41:14 smg01 root[24235]: DEBUG:
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Scan started at:   Tue Jan 12 14:41:14 2021
Jan 12 14:41:14 smg01 root[24235]: DEBUG:name="/var/spool/pmg/active/7E31B5FFD98E37582D", result="a variant of Win32/TrojanDownloader.Delf.DCX trojan", action="retained", info=""
Jan 12 14:41:14 smg01 root[24235]: DEBUG:name="/var/spool/pmg/active/7E31B5FFD98E37582D >> MIME >> 2021 New Price Vat.xz", result="a variant of Win32/TrojanDownloader.Delf.DCX trojan", action="retained", info=""
Jan 12 14:41:14 smg01 root[24235]: DEBUG:name="/var/spool/pmg/active/7E31B5FFD98E37582D >> MIME >> 2021 New Price Vat.xz >> WINRARSFX >> 2021 New Price Vat.scr", result="a variant of Win32/TrojanDownloader.Delf.DCX trojan", action="retained", info=""
Jan 12 14:41:14 smg01 root[24235]: DEBUG:
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Scan completed at: Tue Jan 12 14:41:14 2021
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Scan time:         0 sec (0:00:00)
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Total:             files - 1, objects 6
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Detected:          files - 1, objects 1
Jan 12 14:41:14 smg01 root[24235]: DEBUG:Cleaned:           files - 0, objects 0
Jan 12 14:41:14 smg01 root[24235]: DEBUG:
Jan 12 14:41:14 smg01 root[24235]: pmg-custom-check VIRUS: a variant of Win32/TrojanDownloader.Delf.DCX trojan (Eset) /var/spool/pmg/active/7E31B5FFD98E37582D
Jan 12 14:41:14 smg01 pmg-smtp-filter[24222]: 7E31B5FFD98E37582D: virus detected: a variant of Win32/TrojanDownloader.Delf.DCX trojan (Eset) (custom)
Jan 12 14:41:15 smg01 pmg-smtp-filter[24222]: 7E31B5FFD98E37582D: SA score=8/5 time=1.098 bayes=undefined autolearn=no autolearn_force=no hits=HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_LAZY_DOMAIN_SECURITY(1),KHOP_HELO_FCRDNS(0.398),MISSING_HEADERS(1.207),SPF_HELO_NONE(0.001),SPF_NONE(3),URIBL_BLOCKED(3)
Jan 12 14:41:15 smg01 postfix/smtpd[24106]: connect from localhost[127.0.0.1]
Jan 12 14:41:15 smg01 postfix/smtpd[24106]: 6E9E51FED8: client=localhost[127.0.0.1]
Jan 12 14:41:15 smg01 postfix/cleanup[24107]: 6E9E51FED8: message-id=<20210112124115.6E9E51FED8@smg01.localdomain>
Jan 12 14:41:15 smg01 postfix/qmgr[21050]: 6E9E51FED8: from=<postmaster@smg01.localdomain>, size=1688, nrcpt=1 (queue active)
Jan 12 14:41:15 smg01 postfix/smtpd[24106]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 commands=4
Jan 12 14:41:15 smg01 pmg-smtp-filter[24222]: 7E31B5FFD98E37582D: notify <koby@mksoft.co.il> (rule: 00 - OnViruses, 6E9E51FED8)
Jan 12 14:41:15 smg01 pmg-smtp-filter[24222]: ERROR: MIME::Body::File->open /tmp/.proxdump_24222_7E31B5FFD98E37582D/2021 New Price Vat.xz: No such file or directory at /usr/share/perl5/MIME/Body.pm line 435.
Jan 12 14:41:15 smg01 pmg-smtp-filter[24222]: 7E31B5FFD98E37582D: processing time: 7.975 seconds (1.098, 0, 6.018)
Jan 12 14:41:15 smg01 postfix/smtpd[24228]: proxy-reject: END-OF-MESSAGE: 451 4.4.0 detected undelivered mail (7E31B5FFD98E37582D); from=<kristin.b@asterch.com> to=<neomi.a@huberman.co.il> proto=ESMTP helo=<mail.asterch.com>
Jan 12 14:41:15 smg01 postfix/smtpd[24228]: disconnect from hwsrv-824003.hostwindsdns.com[108.174.196.58] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 commands=6/7
Jan 12 14:41:15 smg01 postfix/smtp[24146]: Trusted TLS connection established to mksoft-co-il.mail.protection.outlook.com[104.47.17.138]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 12 14:41:16 smg01 postfix/smtp[24146]: 6E9E51FED8: to=<koby@mksoft.co.il>, relay=mksoft-co-il.mail.protection.outlook.com[104.47.17.138]:25, delay=1, delays=0.01/0/0.22/0.77, dsn=2.6.0, status=sent (250 2.6.0 <20210112124115.6E9E51FED8@smg01.localdomain> [InternalId=34050500734509, Hostname=AM0PR05MB4466.eurprd05.prod.outlook.com] 9211 bytes in 0.156, 57.585 KB/sec Queued mail for delivery)
Jan 12 14:41:16 smg01 postfix/qmgr[21050]: 6E9E51FED8: removed
Jan 12 14:41:16 smg01 postfix/smtp[23631]: Trusted TLS connection established to neway1-co-il.mail.protection.outlook.com[104.47.9.36]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jan 12 14:41:18 smg01 postfix/smtp[23631]: 983691FED3: to=<pakahim@neway1.co.il>, relay=neway1-co-il.mail.protection.outlook.com[104.47.9.36]:25, delay=5.4, delays=0.12/3.7/0.2/1.4, dsn=2.6.0, status=sent (250 2.6.0 <CAL7Uyma9Z1R3GirmUwB8m-DLG42z5tWWWm228Er1BSf-uv347Q@mail.gmail.com> [InternalId=14529874378076, Hostname=DBAPR05MB7303.eurprd05.prod.outlook.com] 201729 bytes in 0.074, 2636.184 KB/sec Queued mail for delivery)
Jan 12 14:41:18 smg01 postfix/qmgr[21050]: 983691FED3: removed
 
the log still is missing the connection start of the problematic mail.

that aside - since the mail did not get processed, due to the deleted attachment - it might not show up in the log-tracker ...
Please try to configure ESET so that it does not delete the infected attachment - else PMG cannot sensible handle the mail
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!