Please read the "yoursite-Attachment-Warning.txt" attachment(s) for more information

[gregh3269]

Hello,

For the installation we use /etc/MailScanner/conf.d directory for the necessary props/overrides.

When a virus is detected MailScanner sends an email "Bad File Name Detected" (eicar.com test case), but the attachment has the wrong naming based on the %org-name% = yoursite from the /etc/MailScanner/MailScanner.conf

Please read the "yoursite-Attachment-Warning.txt" attachment(s) for more information

It seems to want %org-name% from /etc/MailScanner/MailScanner.conf rather than our /etc/MailScanner/conf.d/my.conf

ie it should be from /etc/MailScanner/conf.d/my.conf
%org-name% = mysitename
Please read the "mysitename-Attachment-Warning.txt" attachment(s) for more information

...I think the email is coming from MailScanner.

Report: MailScanner: Executable DOS/Windows programs are dangerous in email (eicar.com)

System in Rocky 8 (CENTOS)

Installed Packages
Name : MailScanner
Version : 5.4.1
Release : 2.rhel
Architecture : noarch
Size : 2.6 M
Source : MailScanner-5.4.1-2.rhel.src.rpm

Cheers Greg

[msapiro]

On 9/18/21 2:11 AM, gregh3269 wrote: It seems to want %org-name% from /etc/MailScanner/MailScanner.conf rather than our /etc/MailScanner/conf.d/my.conf ie it should be from /etc/MailScanner/conf.d/my.conf %org-name% = mysitename Please read the "mysitename-Attachment-Warning.txt" attachment(s) for more information

From MailScanner.conf:

…

# READ THIS FIRST! # Instead of making changes directly to this file, you should put your # configuration options in your own file in /etc/MailScanner/conf.d/ # Example file: /etc/MailScanner/conf.d/my_settings.conf # However, if you are changing some variable definition which is used # in other definitions in this file such as %org-name% in the first # example below, you must also either change it in this file or copy # all the definitions that use that variable into your own file.

-- Mark Sapiro ***@***.***> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

[gregh3269]

Ok, sorry was reading my install instruction rather than the official. I can see I have updated the /etc/MailScanner/MailScanner.conf on the server version and not my instructions.

...Was hoping this would fix the MailScanner --lint not showing the virus scanner stuff, even though clamav seems to work correctly.

v5.4.1
MailScanner.conf says "Virus Scanners = clamav"
Found these virus scanners installed:
#===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
#===========================================================================
If any of your virus scanners ()
....

v5.0.7 on centos 7

MailScanner.conf says "Virus Scanners = clamav"
Found these virus scanners installed: clamav
#===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
1.message: Win.Test.EICAR_HDB-1 FOUND

/var/spool/MailScanner/incoming/6372/1/eicar.com: Win.Test.EICAR_HDB-1 FOUND

Virus Scanning: ClamAV found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
#===========================================================================
Virus Scanner test reports:
ClamAV said "eicar.com contains Win.Test.EICAR_HDB-1"

If any of your virus scanners (clamav)
...

Is there a way to debug this?

Cheers Greg

[shawniverson]

@gregh3269 clamav was deprecated and eventually removed, use clamd instead.

[gregh3269]

Virus Scanners = clamd

seems to make it work, but now we must run the 1gb memory daemon job. On my dev box this seems a waste of resources, I seem to remember the clamav-wrapper stuff runs when needed? Is it possible to still use this logic now?

virus.scanners.conf
clamav /usr/lib/MailScanner/wrapper/clamav-wrapper /usr

Cheers Greg

[msapiro]

The size of the clamav daemon depends on the size of the collection of signatures (/var/lib/clamav/*). That said, the trade off between clamd and clamav is with clamd, the process is persistent and the signatures are loaded once when it starts while with clamav there is a new process which has to load all the signatures each time it is invoked.

It seems to me that creating a new clamav process for each message is a greater waste of resources than running the daemon.

[gregh3269]

On a 4gb box/instance the 1.2gb clamd job is not really an option, now only a luxury.

Virus Scanners = none

Cheers Greg

[gregh3269]

Checking the source, the clamav stuff has only been commented out (v5.4.1), reinstating these lines seems to make it work again. Changing SweepViruses.pm and ConfigDefs.pl.

MailScanner --lint
..
Checking version numbers...
Version number in MailScanner.conf (5.4.1) is correct.
..
MailScanner.conf says "Virus Scanners = clamav"
Found these virus scanners installed: clamav
#===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
1.message: Win.Test.EICAR_HDB-1 FOUND

/var/spool/MailScanner/incoming/17143/1/eicar.com: Win.Test.EICAR_HDB-1 FOUND

Virus Scanning: ClamAV found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
#===========================================================================
Virus Scanner test reports:
ClamAV said "eicar.com contains Win.Test.EICAR_HDB-1"

If any of your virus scanners (clamav)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function MailWatchLogging

I can live with this and push it down the road. If we get more than a couple of emails a week, we can revert to clamd. Please reconsider its depreciation.

#######

One other thing I have noticed (before clamav change) is if I repeatedly send eicarcom2.tar.xz sometimes the body of the {Virus?} email is empty. It does it on every other email.

ie this is missing:
Warning: This message has had one or more attachments removed
Warning: (eicarcom2.tar.xz, the entire message).
Warning: Please read the "mycompany-Attachment-Warning.txt" attachment(s) for more information.

This is a message from the MailScanner E-Mail Virus Protection Service
#----------------------------------------------------------------------
The original e-mail attachment "the entire message"
was believed to be infected by a virus and has been replaced by this warning
message.

If you wish to receive a copy of the infected attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Wed Sep 22 07:28:34 2021 the virus scanner said:
ClamAV: eicarcom2.tar.xz contains Win.Test.EICAR_HDB-1

ClamAV: contains Win.Test.EICAR_HDB-1

Note to Help Desk: Look on The mycompany (mycompany.co.uk) MailScanner in /var/spool/MailScanner/quarantine/20210922 (message D3753C9B07.AEA63).
#--
Postmaster

Cheers Greg

[shawniverson]

Due to obsolescense of perl-Mail-ClamAV, clamavmodule will remain deprecated and code commented out.

[shawniverson]

Leaving issue open to investigate attachment warning issue