amavis: (!!)WARN: all primary virus scanners failed, considering ba

Discussion in 'Installation/Configuration' started by jariasca, Apr 13, 2010.

  1. jariasca

    jariasca Member

    Hi I just finished to install guide perfect server ipsconfig 3 + centos 5.4

    every thing works fine but i got the error or warning in my maillog

    Apr 12 16:31:58 mail postfix/smtpd[4208]: warning: 216.25.162.201: address not listed for hostname worldcom.co.cr
    Apr 12 16:31:58 mail postfix/smtpd[4208]: connect from unknown[216.25.162.201]
    Apr 12 16:31:58 mail postfix/smtpd[4208]: EF40414D02F1: client=unknown[216.25.162.201]
    Apr 12 16:31:59 mail postfix/cleanup[4220]: EF40414D02F1: message-id=<[email protected]>
    Apr 12 16:31:59 mail postfix/qmgr[2752]: EF40414D02F1: from=<[email protected]>, size=710, nrcpt=1 (queue active)
    Apr 12 16:31:59 mail postfix/smtpd[4208]: disconnect from unknown[216.25.162.201]
    Apr 12 16:31:59 mail amavis[2824]: (02824-03) (!!)WARN: all primary virus scanners failed, considering backups
    Apr 12 16:32:05 mail pop3d: Connection, ip=[::ffff:209.213.178.252]
    Apr 12 16:32:05 mail pop3d: LOGIN, user=[email protected], ip=[::ffff:209.213.178.252], port=[59525]
    Apr 12 16:32:05 mail pop3d: LOGOUT, user=[email protected], ip=[::ffff:209.213.178.252], port=[59525], top=0, retr=0, rcvd=28, sent=157, time=0
    Apr 12 16:32:05 mail postfix/smtpd[4259]: connect from unknown[127.0.0.1]
    Apr 12 22:32:05 mail postfix/smtpd[4259]: 7A37714D0305: client=unknown[127.0.0.1]
    Apr 12 16:32:05 mail postfix/cleanup[4220]: 7A37714D0305: message-id=<[email protected]>
    Apr 12 16:32:05 mail postfix/qmgr[2752]: 7A37714D0305: from=<[email protected]>, size=1185, nrcpt=1 (queue active)
    Apr 12 22:32:05 mail postfix/smtpd[4259]: disconnect from unknown[127.0.0.1]
    Apr 12 16:32:05 mail amavis[2824]: (02824-03) Passed CLEAN, [216.25.162.201] [216.25.162.201] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: jTv3ukslSNdd, Hits: 1.272, size: 710, queued_as: 7A37714D0305, 6494 ms
    Apr 12 16:32:05 mail postfix/smtp[4221]: EF40414D02F1: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=6.6, delays=0.06/0.01/0/6.5, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=02824-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7A37714D0305)
    Apr 12 16:32:05 mail postfix/qmgr[2752]: EF40414D02F1: removed
    Apr 12 16:32:05 mail postfix/pipe[4262]: 7A37714D0305: to=<[email protected]>, relay=maildrop, delay=0.05, delays=0.02/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service)
    Apr 12 16:32:05 mail postfix/qmgr[2752]: 7A37714D0305: removed


    please advise
    Jorge
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Start clamd.
     
  3. jariasca

    jariasca Member

    Thanks Till but still the same, it was started to I stop it and restart it but get the same msg

    Apr 13 16:40:57 mail postfix/smtpd[4676]: C2E9914D04F9: client=unknown[65.183.7.27]
    Apr 13 16:40:58 mail postfix/cleanup[4687]: A23C114D04D3: message-id=<[email protected]>
    Apr 13 16:40:58 mail postfix/qmgr[2752]: A23C114D04D3: from=<[email protected]>, size=2494, nrcpt=1 (queue active)
    Apr 13 16:40:58 mail amavis[1536]: (01536-09) (!!)WARN: all primary virus scanners failed, considering backups
    Apr 13 16:40:58 mail postfix/smtpd[4678]: NOQUEUE: reject: RCPT from unknown[65.183.7.27]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<agis-group.co.il>
    Apr 13 16:40:59 mail postfix/smtpd[4677]: disconnect from unknown[65.183.7.27]
     
  4. falko

    falko Super Moderator ISPConfig Developer

    Can you post the ClamAV section from your amavisd configuration?
     
  5. jariasca

    jariasca Member

    Thanks Falko the setting are the ones by default in the installation (perfect Centos 5.4 ispconfig)

    Everything works fine only got that error msg

    Thanks again for the help
    -Jorge

    [root@mail etc]# cat clamd.conf
    ##
    ## Example config file for the Clam AV daemon
    ## Please read the clamd.conf(5) manual before editing this file.
    ##


    # Comment or remove the line below.
    #Example

    # Uncomment this option to enable logging.
    # LogFile must be writable for the user running daemon.
    # A full path is required.
    # Default: disabled
    LogFile /var/log/clamav/clamd.log

    # By default the log file is locked for writing - the lock protects against
    # running clamd multiple times (if want to run another clamd, please
    # copy the configuration file, change the LogFile variable, and run
    # the daemon with --config-file option).
    # This option disables log file locking.
    # Default: no
    #LogFileUnlock yes

    # Maximum size of the log file.
    # Value of 0 disables the limit.
    # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
    # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
    # in bytes just don't use modifiers.
    # Default: 1M
    LogFileMaxSize 0

    # Log time with each message.
    # Default: no
    LogTime yes

    # Also log clean files. Useful in debugging but drastically increases the
    # log size.
    # Default: no
    #LogClean yes

    # Use system logger (can work together with LogFile).
    # Default: no
    LogSyslog yes

    # Specify the type of syslog messages - please refer to 'man syslog'
    # for facility names.
    # Default: LOG_LOCAL6
    #LogFacility LOG_MAIL

    # Enable verbose logging.
    # Default: no
    #LogVerbose yes

    # This option allows you to save a process identifier of the listening
    # daemon (main thread).
    # Default: disabled
    PidFile /var/run/clamav/clamd.pid

    # Optional path to the global temporary directory.
    # Default: system specific (usually /tmp or /var/tmp).
    TemporaryDirectory /var/tmp

    # Path to the database directory.
    # Default: hardcoded (depends on installation options)
    DatabaseDirectory /var/clamav

    # Only load the official signatures published by the ClamAV project.
    # Default: no
    #OfficialDatabaseOnly no

    # The daemon can work in local mode, network mode or both.
    # Due to security reasons we recommend the local mode.

    # Path to a local socket file the daemon will listen on.
    # Default: disabled (must be specified by a user)
    #LocalSocket /tmp/clamd.socket

    # Sets the group ownership on the unix socket.
    # Default: disabled (the primary group of the user running clamd)
    #LocalSocketGroup virusgroup

    # Sets the permissions on the unix socket to the specified mode.
    # Default: disabled (socket is world accessible)
    #LocalSocketMode 660

    # Remove stale socket after unclean shutdown.
    # Default: yes
    FixStaleSocket yes

    # TCP port address.
    # Default: no
    TCPSocket 3310

    # TCP address.
    # By default we bind to INADDR_ANY, probably not wise.
    # Enable the following to provide some degree of protection
    # from the outside world.
    # Default: no
    TCPAddr 127.0.0.1

    # Maximum length the queue of pending connections may grow to.
    # Default: 15
    MaxConnectionQueueLength 30

    # Clamd uses FTP-like protocol to receive data from remote clients.
    # If you are using clamav-milter to balance load between remote clamd daemons
    # on firewall servers you may need to tune the options below.

    # Close the connection when the data size limit is exceeded.
    # The value should match your MTA's limit for a maximum attachment size.
    # Default: 25M
    #StreamMaxLength 10M

    # Limit port range.
    # Default: 1024
    #StreamMinPort 30000
    # Default: 2048
    #StreamMaxPort 32000

    # Maximum number of threads running at the same time.
    # Default: 10
    MaxThreads 50

    # Waiting for data from a client socket will timeout after this time (seconds).
    # Value of 0 disables the timeout.
    # Default: 120
    ReadTimeout 300

    # This option specifies the time (in seconds) after which clamd should
    # timeout if a client doesn't provide any initial command after connecting.
    # Default: 5
    #CommandReadTimeout 5

    # This option specifies how long to wait (in miliseconds) if the send buffer is full.
    # Keep this value low to prevent clamd hanging
    #
    # Default: 500
    #SendBufTimeout 200

    # Maximum number of queued items (including those being processed by MaxThreads threads)
    # It is recommended to have this value at least twice MaxThreads if possible.
    # WARNING: you shouldn't increase this too much to avoid running out of file descriptors,
    # the following condition should hold:
    # MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
    #
    # Default: 100
    #MaxQueue 200

    # Waiting for a new job will timeout after this time (seconds).
    # Default: 30
    #IdleTimeout 60

    # Don't scan files and directories matching regex
    # This directive can be used multiple times
    # Default: scan all
    #ExcludePath ^/proc/
    #ExcludePath ^/sys/

    # Maximum depth directories are scanned at.
    # Default: 15
    #MaxDirectoryRecursion 20

    # Follow directory symlinks.
    # Default: no
    #FollowDirectorySymlinks yes

    # Follow regular file symlinks.
    # Default: no
    #FollowFileSymlinks yes

    # Scan files and directories on other filesystems.
    # Default: yes
    #CrossFilesystems yes

    # Perform a database check.
    # Default: 600 (10 min)
    #SelfCheck 600

    # Execute a command when virus is found. In the command string %v will
    # be replaced with the virus name.
    # Default: no
    #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

    # Run as another user (clamd must be started by root for this option to work)
    # Default: don't drop privileges
    User clamav

    # Initialize supplementary group access (clamd must be started by root).
    # Default: no
    AllowSupplementaryGroups yes

    # Stop daemon when libclamav reports out of memory condition.
    #ExitOnOOM yes

    # Don't fork into background.
    # Default: no
    #Foreground yes

    # Enable debug messages in libclamav.
    # Default: no
    #Debug yes

    # Do not remove temporary files (for debug purposes).
    # Default: no
    #LeaveTemporaryFiles yes

    # Detect Possibly Unwanted Applications.
    # Default: no
    #DetectPUA yes

    # Exclude a specific PUA category. This directive can be used multiple times.
    # See http://www.clamav.net/support/pua for the complete list of PUA
    # categories.
    # Default: Load all categories (if DetectPUA is activated)
    #ExcludePUA NetTool
    #ExcludePUA PWTool

    # Only include a specific PUA category. This directive can be used multiple
    # times.
    # Default: Load all categories (if DetectPUA is activated)
    #IncludePUA Spy
    #IncludePUA Scanner
    #IncludePUA RAT

    # In some cases (eg. complex malware, exploits in graphic files, and others),
    # ClamAV uses special algorithms to provide accurate detection. This option
    # controls the algorithmic detection.
    # Default: yes
    #AlgorithmicDetection yes


    ##
    ## Executable files
    ##

    # PE stands for Portable Executable - it's an executable file format used
    # in all 32 and 64-bit versions of Windows operating systems. This option allows
    # ClamAV to perform a deeper analysis of executable files and it's also
    # required for decompression of popular executable packers such as UPX, FSG,
    # and Petite.
    # Default: yes
    ScanPE yes

    # Executable and Linking Format is a standard format for UN*X executables.
    # This option allows you to control the scanning of ELF files.
    # Default: yes
    ScanELF yes

    # With this option clamav will try to detect broken executables (both PE and
    # ELF) and mark them as Broken.Executable.
    # Default: no
    DetectBrokenExecutables yes


    ##
    ## Documents
    ##

    # This option enables scanning of OLE2 files, such as Microsoft Office
    # documents and .msi files.
    # Default: yes
    ScanOLE2 yes

    # This option enables scanning within PDF files.
    # Default: yes
    #ScanPDF yes


    ##
    ## Mail files
    ##

    # Enable internal e-mail scanner.
    # Default: yes
    ScanMail yes

    # Scan RFC1341 messages split over many emails.
    # You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
    # WARNING: This option may open your system to a DoS attack.
    # Never use it on loaded servers.
    # Default: no
    #ScanPartialMessages yes


    # With this option enabled ClamAV will try to detect phishing attempts by using
    # signatures.
    # Default: yes
    #PhishingSignatures yes

    # Scan URLs found in mails for phishing attempts using heuristics.
    # Default: yes
    #PhishingScanURLs yes

    # Always block SSL mismatches in URLs, even if the URL isn't in the database.
    # This can lead to false positives.
    #
    # Default: no
    #PhishingAlwaysBlockSSLMismatch no

    # Always block cloaked URLs, even if URL isn't in database.
    # This can lead to false positives.
    #
    # Default: no
    #PhishingAlwaysBlockCloak no

    # Allow heuristic match to take precedence.
    # When enabled, if a heuristic scan (such as phishingScan) detects
    # a possible virus/phish it will stop scan immediately. Recommended, saves CPU
    # scan-time.
    # When disabled, virus/phish detected by heuristic scans will be reported only at
    # the end of a scan. If an archive contains both a heuristically detected
    # virus/phish, and a real malware, the real malware will be reported
    #
    # Keep this disabled if you intend to handle "*.Heuristics.*" viruses
    # differently from "real" malware.
    # If a non-heuristically-detected virus (signature-based) is found first,
    # the scan is interrupted immediately, regardless of this config option.
    #
    # Default: no
    #HeuristicScanPrecedence yes

    ##
    ## Data Loss Prevention (DLP)
    ##

    # Enable the DLP module
    # Default: No
    #StructuredDataDetection yes

    # This option sets the lowest number of Credit Card numbers found in a file
    # to generate a detect.
    # Default: 3
    #StructuredMinCreditCardCount 5

    # This option sets the lowest number of Social Security Numbers found
    # in a file to generate a detect.
    # Default: 3
    #StructuredMinSSNCount 5

    # With this option enabled the DLP module will search for valid
    # SSNs formatted as xxx-yy-zzzz
    # Default: yes
    #StructuredSSNFormatNormal yes

    # With this option enabled the DLP module will search for valid
    # SSNs formatted as xxxyyzzzz
    # Default: no
    #StructuredSSNFormatStripped yes


    ##
    ## HTML
    ##

    # Perform HTML normalisation and decryption of MS Script Encoder code.
    # Default: yes
    #ScanHTML yes


    ##
    ## Archives
    ##

    # ClamAV can scan within archives and compressed files.
    # Default: yes
    ScanArchive yes

    # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
    # Default: no
    ArchiveBlockEncrypted no


    ##
    ## Limits
    ##

    # The options below protect your system against Denial of Service attacks
    # using archive bombs.

    # This option sets the maximum amount of data to be scanned for each input file.
    # Archives and other containers are recursively extracted and scanned up to this
    # value.
    # Value of 0 disables the limit
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Default: 100M
    #MaxScanSize 150M

    # Files larger than this limit won't be scanned. Affects the input file itself
    # as well as files contained inside it (when the input file is an archive, a
    # document or some other kind of container).
    # Value of 0 disables the limit.
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Default: 25M
    #MaxFileSize 30M

    # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
    # file, all files within it will also be scanned. This options specifies how
    # deeply the process should be continued.
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Value of 0 disables the limit.
    # Default: 16
    #MaxRecursion 10

    # Number of files to be scanned within an archive, a document, or any other
    # container file.
    # Value of 0 disables the limit.
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Default: 10000
    #MaxFiles 15000


    ##
    ## Clamuko settings
    ##

    # Enable Clamuko. Dazuko must be configured and running. Clamuko supports
    # both Dazuko (/dev/dazuko) and DazukoFS (/dev/dazukofs.ctrl). DazukoFS
    # is the preferred option. For more information please visit www.dazuko.org
    # Default: no
    #ClamukoScanOnAccess yes

    # The number of scanner threads that will be started (DazukoFS only).
    # Having multiple scanner threads allows Clamuko to serve multiple
    # processes simultaneously. This is particularly beneficial on SMP machines.
    # Default: 3
    #ClamukoScannerCount 3

    # Don't scan files larger than ClamukoMaxFileSize
    # Value of 0 disables the limit.
    # Default: 5M
    #ClamukoMaxFileSize 10M

    # Set access mask for Clamuko (Dazuko only).
    # Default: no
    #ClamukoScanOnOpen yes
    #ClamukoScanOnClose yes
    #ClamukoScanOnExec yes

    # Set the include paths (all files inside them will be scanned). You can have
    # multiple ClamukoIncludePath directives but each directory must be added
    # in a seperate line. (Dazuko only)
    # Default: disabled
    #ClamukoIncludePath /home
    #ClamukoIncludePath /students

    # Set the exclude paths. All subdirectories are also excluded. (Dazuko only)
    # Default: disabled
    #ClamukoExcludePath /home/bofh

    # With this option enabled ClamAV will load bytecode from the database.
    # It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
    # Default: yes
    #Bytecode yes

    # Set bytecode security level.
    # Possible values:
    # None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
    # This value is only available if clamav was built with --enable-debug!
    # TrustSigned - trust bytecode loaded from signed .c[lv]d files,
    # insert runtime safety checks for bytecode loaded from other sources
    # Paranoid - don't trust any bytecode, insert runtime checks for all
    # Recommended: TrustSigned, because bytecode in .cvd files already has these checks
    # Note that by default only signed bytecode is loaded, currently you can only
    # load unsigned bytecode in --enable-debug mode.
    #
    # Default: TrustSigned
    #BytecodeSecurity TrustSigned

    # Set bytecode timeout in miliseconds.
    #
    # Default: 60000
    # BytecodeTimeout 60000
    [root@mail etc]#
     
  6. falko

    falko Super Moderator ISPConfig Developer

    No, I need the ClamAV section from your amavisd configuration (amavisd.conf).
     
  7. jariasca

    jariasca Member

    @av_scanners = (

    # ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
    # ['Sophie',
    # \&ask_daemon, ["{}/\n", '/var/run/sophie'],
    # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
    # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],

    # ### http://www.csupomona.edu/~henson/www/projects/SAVI-Perl/
    # ['Sophos SAVI', \&sophos_savi ],

    # ### http://www.clamav.net/
    ['ClamAV-clamd',
    \&ask_daemon, ["CONTSCAN {}\n", "/var/spool/amavisd/clamd.sock"],
    qr/\bOK$/, qr/\bFOUND$/,
    qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
    # # NOTE: run clamd under the same user as amavisd, or run it under its own
    # # uid such as clamav, add user clamav to the amavis group, and then add
    # # AllowSupplementaryGroups to clamd.conf;
    # # NOTE: match socket name (LocalSocket) in clamav.conf to the socket name in
    # # this entry; when running chrooted one may prefer socket "$MYHOME/clamd".

    # ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred)
    # # note that Mail::ClamAV requires perl to be build with threading!
    # ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/],

    # ### http://www.openantivirus.org/
    # ['OpenAntiVirus ScannerDaemon (OAV)',
    # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:8127'],
    # qr/^OK/, qr/^FOUND: /, qr/^FOUND: (.+)/ ],

    # ### http://www.vanja.com/tools/trophie/
    # ['Trophie',
    # \&ask_daemon, ["{}/\n", '/var/run/trophie'],
    # qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
    # qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/ ],

    # ### http://www.grisoft.com/
    # ['AVG Anti-Virus',
    # \&ask_daemon, ["SCAN {}\n", '127.0.0.1:55555'],
    # qr/^200/, qr/^403/, qr/^403 .*?: ([^\r\n]+)/ ],

    # ### http://www.f-prot.com/
    # ['FRISK F-Prot Daemon',
    # \&ask_daemon,
    # ["GET {}/*?-dumb%20-archive%20-packed HTTP/1.0\r\n\r\n",
    # ['127.0.0.1:10200','127.0.0.1:10201','127.0.0.1:10202',
    # '127.0.0.1:10203','127.0.0.1:10204'] ],
    # qr/(?i)<summary[^>]*>clean<\/summary>/,
    # qr/(?i)<summary[^>]*>infected<\/summary>/,
    # qr/(?i)<name>(.+)<\/name>/ ],

    # ### http://www.sald.com/, http://www.dials.ru/english/, http://www.drweb.ru/
    # ['DrWebD', \&ask_daemon, # DrWebD 4.31 or later
    # [pack('N',1). # DRWEBD_SCAN_CMD
    # pack('N',0x00280001). # DONT_CHANGEMAIL, IS_MAIL, RETURN_VIRUSES
    # pack('N', # path length
    # length("$TEMPBASE/amavis-yyyymmddTHHMMSS-xxxxx/parts/pxxx")).
    # '{}/*'. # path
    # pack('N',0). # content size
    # pack('N',0),
    # '/var/drweb/run/drwebd.sock',
    # # '/var/amavis/var/run/drwebd.sock', # suitable for chroot
    # # '/usr/local/drweb/run/drwebd.sock', # FreeBSD drweb ports default
    # # '127.0.0.1:3000', # or over an inet socket
    # ],
    # qr/\A\x00[\x10\x11][\x00\x10]\x00/s, # IS_CLEAN,EVAL_KEY; SKIPPED
    # qr/\A\x00[\x00\x01][\x00\x10][\x20\x40\x80]/s, # KNOWN_V,UNKNOWN_V,V._MODIF
    # qr/\A.{12}(?:infected with )?([^\x00]+)\x00/s,
    # ],
    # # NOTE: If using amavis-milter, change length to:
    # # length("$TEMPBASE/amavis-milter-xxxxxxxxxxxxxx/parts/pxxx").

    ### http://www.kaspersky.com/ (kav4mailservers)
    ['KasperskyLab AVP - aveclient',
    ['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
    '/opt/kav/5.5/kav4mailservers/bin/aveclient','aveclient'],
    '-p /var/run/aveserver -s {}/*',
    [0,3,6,8], qr/\b(INFECTED|SUSPICION|SUSPICIOUS)\b/,
    qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.+)/,
    ],
    # NOTE: one may prefer [0],[2,3,4,5], depending on how suspicious,
    # currupted or protected archives are to be handled

    ### http://www.kaspersky.com/
    ['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
    '-* -P -B -Y -O- {}', [0,3,6,8], [2,4], # any use for -A -K ?
    qr/infected: (.+)/,
    sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
    sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
    ],

    ### The kavdaemon and AVPDaemonClient have been removed from Kasperky
    ### products and replaced by aveserver and aveclient
    ['KasperskyLab AVPDaemonClient',
    [ '/opt/AVP/kavdaemon', 'kavdaemon',
    '/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
    '/opt/AVP/AvpTeamDream', 'AvpTeamDream',
    '/opt/AVP/avpdc', 'avpdc' ],
    "-f=$TEMPBASE {}", [0,8], [3,4,5,6], qr/infected: ([^\r\n]+)/ ],
    # change the startup-script in /etc/init.d/kavd to:
    # DPARMS="-* -Y -dl -f=/var/amavis /var/amavis"
    # (or perhaps: DPARMS="-I0 -Y -* /var/amavis" )
    # adjusting /var/amavis above to match your $TEMPBASE.
    # The '-f=/var/amavis' is needed if not running it as root, so it
    # can find, read, and write its pid file, etc., see 'man kavdaemon'.
    # defUnix.prf: there must be an entry "*/var/amavis" (or whatever
    # directory $TEMPBASE specifies) in the 'Names=' section.
    # cd /opt/AVP/DaemonClients; configure; cd Sample; make
    # cp AvpDaemonClient /opt/AVP/
    # su - vscan -c "${PREFIX}/kavdaemon ${DPARMS}"

    ### http://www.centralcommand.com/
    ['CentralCommand Vexira (new) vascan',
    ['vascan','/usr/lib/Vexira/vascan'],
    "-a s --timeout=60 --temp=$TEMPBASE -y $QUARANTINEDIR ".
    "--log=/var/log/vascan.log {}",
    [0,3], [1,2,5],
    qr/(?x)^\s* (?:virus|iworm|macro|mutant|sequence|trojan)\ found:\ ( [^\]\s']+ )\ \.\.\.\ / ],
    # Adjust the path of the binary and the virus database as needed.
    # 'vascan' does not allow to have the temp directory to be the same as
    # the quarantine directory, and the quarantine option can not be disabled.
    # If $QUARANTINEDIR is not used, then another directory must be specified
    # to appease 'vascan'. Move status 3 to the second list if password
    # protected files are to be considered infected.

    ### http://www.avira.com/
    ### Avira AntiVir (formerly H+BEDV) or (old) CentralCommand Vexira Antivirus
    ['Avira AntiVir', ['antivir','vexira'],
    '--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
    qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
    (?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
    # NOTE: if you only have a demo version, remove -z and add 214, as in:
    # '--allfiles -noboot -nombr -rs -s {}', [0,214], qr/ALERT:|VIRUS:/,

    ### http://www.commandsoftware.com/
    ['Command AntiVirus for Linux', 'csav',
    '-all -archive -packed {}', [50], [51,52,53],
    qr/Infection: (.+)/ ],

    ### http://www.symantec.com/
    ['Symantec CarrierScan via Symantec CommandLineScanner',
    'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
    qr/^Files Infected:\s+0$/, qr/^Infected\b/,
    qr/^(?:Info|Virus Name):\s+(.+)/ ],

    ### http://www.symantec.com/
    ['Symantec AntiVirus Scan Engine',
    'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
    [0], qr/^Infected\b/,
    qr/^(?:Info|Virus Name):\s+(.+)/ ],
    # NOTE: check options and patterns to see which entry better applies

    # ### http://www.f-secure.com/products/anti-virus/ version 4.65
    # ['F-Secure Antivirus for Linux servers',
    # ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
    # '--delete=no --disinf=no --rename=no --archive=yes --auto=yes '.
    # '--dumb=yes --list=no --mime=yes {}', [0], [3,6,8],
    # qr/(?:infection|Infected|Suspected): (.+)/ ],

    ### http://www.f-secure.com/products/anti-virus/ version 5.52
    ['F-Secure Antivirus for Linux servers',
    ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
    '--virus-action1=report --archive=yes --auto=yes '.
    '--dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
    qr/(?:infection|Infected|Suspected|Riskware): (.+)/ ],
    # NOTE: internal archive handling may be switched off by '--archive=no'
    # to prevent fsav from exiting with status 9 on broken archives

    # ### http://www.avast.com/
    # ['avast! Antivirus daemon',
    # \&ask_daemon, # greets with 220, terminate with QUIT
    # ["SCAN {}\015\012QUIT\015\012", '/var/run/avast4/mailscanner.sock'],
    # qr/\t\[\+\]/, qr/\t\[L\]\t/, qr/\t\[L\]\t([^[ \t\015\012]+)/ ],

    # ### http://www.avast.com/
    # ['avast! Antivirus - Client/Server Version', 'avastlite',
    # '-a /var/run/avast4/mailscanner.sock -n {}', [0], [1],
    # qr/\t\[L\]\t([^[ \t\015\012]+)/ ],

    ['CAI InoculateIT', 'inocucmd', # retired product
    '-sec -nex {}', [0], [100],
    qr/was infected by virus (.+)/ ],
    # see: http://www.flatmtn.com/computer/Linux-Antivirus_CAI.html

    ### http://www3.ca.com/Solutions/Product.asp?ID=156 (ex InoculateIT)
    ['CAI eTrust Antivirus', 'etrust-wrapper',
    '-arc -nex -spm h {}', [0], [101],
    qr/is infected by virus: (.+)/ ],
    # NOTE: requires suid wrapper around inocmd32; consider flag: -mod reviewer
    # see http://marc.theaimsgroup.com/?l=amavis-user&m=109229779912783

    ### http://mks.com.pl/english.html
    ['MkS_Vir for Linux (beta)', ['mks32','mks'],
    '-s {}/*', [0], [1,2],
    qr/--[ \t]*(.+)/ ],

    ### http://mks.com.pl/english.html
    ['MkS_Vir daemon', 'mksscan',
    '-s -q {}', [0], [1..7],
    qr/^... (\S+)/ ],

    # ### http://www.nod32.com/, version v2.52 and above
    # ['ESET NOD32 for Linux Mail servers',
    # ['/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
    # '--subdir --files -z --sfx --rtp --adware --unsafe --pattern --heur '.
    # '-w -a --action-on-infected=accept --action-on-uncleanable=accept '.
    # '--action-on-notscanned=accept {}',
    # [0,3], [1,2], qr/virus="([^"]+)"/ ],

    ### http://www.eset.com/, version v2.7
    ['ESET NOD32 Linux Mail Server - command line interface',
    ['/usr/bin/nod32cli', '/opt/eset/nod32/bin/nod32cli', 'nod32cli'],
    '--subdir {}', [0,3], [1,2], qr/virus="([^"]+)"/ ],

    ## http://www.nod32.com/, NOD32LFS version 2.5 and above
    ['ESET NOD32 for Linux File servers',
    ['/opt/eset/nod32/sbin/nod32','nod32'],
    '--files -z --mail --sfx --rtp --adware --unsafe --pattern --heur '.
    '-w -a --action=1 -b {}',
    [0], [1,10], qr/^object=.*, virus="(.*?)",/ ],

    # Experimental, based on posting from Rado Dibarbora (Dibo) on 2002-05-31
    # ['ESET Software NOD32 Client/Server (NOD32SS)',
    # \&ask_daemon2, # greets with 200, persistent, terminate with QUIT
    # ["SCAN {}/*\r\n", '127.0.0.1:8448' ],
    # qr/^200 File OK/, qr/^201 /, qr/^201 (.+)/ ],

    ### http://www.norman.com/products_nvc.shtml
    ['Norman Virus Control v5 / Linux', 'nvcc',
    '-c -l:0 -s -u -temp:$TEMPBASE {}', [0,10,11], [1,2,14],
    qr/(?i).* virus in .* -> \'(.+)\'/ ],

    ### http://www.pandasoftware.com/
    ['Panda CommandLineSecure 9 for Linux',
    ['/opt/pavcl/usr/bin/pavcl','pavcl'],
    '-auto -aex -heu -cmp -nbr -nor -nos -eng -nob {}',
    qr/Number of files infected[ .]*: 0+(?!\d)/,
    qr/Number of files infected[ .]*: 0*[1-9]/,
    qr/Found virus :\s*(\S+)/ ],
    # NOTE: for efficiency, start the Panda in resident mode with 'pavcl -tsr'
    # before starting amavisd - the bases are then loaded only once at startup.
    # To reload bases in a signature update script:
    # /opt/pavcl/usr/bin/pavcl -tsr -ulr; /opt/pavcl/usr/bin/pavcl -tsr
    # Please review other options of pavcl, for example:
    # -nomalw, -nojoke, -nodial, -nohackt, -nospyw, -nocookies

    # ### http://www.pandasoftware.com/
    # ['Panda Antivirus for Linux', ['pavcl'],
    # '-TSR -aut -aex -heu -cmp -nbr -nor -nso -eng {}',
    # [0], [0x10, 0x30, 0x50, 0x70, 0x90, 0xB0, 0xD0, 0xF0],
    # qr/Found virus :\s*(\S+)/ ],

    # GeCAD AV technology is acquired by Microsoft; RAV has been discontinued.
    # Check your RAV license terms before fiddling with the following two lines!
    # ['GeCAD RAV AntiVirus 8', 'ravav',
    # '--all --archive --mail {}', [1], [2,3,4,5], qr/Infected: (.+)/ ],
    # # NOTE: the command line switches changed with scan engine 8.5 !
    # # (btw, assigning stdin to /dev/null causes RAV to fail)

    ### http://www.nai.com/
    ['NAI McAfee AntiVirus (uvscan)', 'uvscan',
    '--secure -rv --mime --summary --noboot - {}', [0], [13],
    qr/(?x) Found (?:
    \ the\ (.+)\ (?:virus|trojan) |
    \ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
    :\ (.+)\ NOT\ a\ virus)/,
    # sub {$ENV{LD_PRELOAD}='/lib/libc.so.6'},
    # sub {delete $ENV{LD_PRELOAD}},
    ],
    # NOTE1: with RH9: force the dynamic linker to look at /lib/libc.so.6 before
    # anything else by setting environment variable LD_PRELOAD=/lib/libc.so.6
    # and then clear it when finished to avoid confusing anything else.
    # NOTE2: to treat encrypted files as viruses replace the [13] with:
    # qr/^\s{5,}(Found|is password-protected|.*(virus|trojan))/

    ### http://www.virusbuster.hu/en/
    ['VirusBuster', ['vbuster', 'vbengcl'],
    "{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
    qr/: '(.*)' - Virus/ ],
    # VirusBuster Ltd. does not support the daemon version for the workstation
    # engine (vbuster-eng-1.12-linux-i386-libc6.tgz) any longer. The names of
    # binaries, some parameters AND return codes have changed (from 3 to 1).
    # See also the new Vexira entry 'vascan' which is possibly related.

    # ### http://www.virusbuster.hu/en/
    # ['VirusBuster (Client + Daemon)', 'vbengd',
    # '-f -log scandir {}', [0], [3],
    # qr/Virus found = (.*);/ ],
    # # HINT: for an infected file it always returns 3,
    # # although the man-page tells a different story

    ### http://www.cyber.com/
    ['CyberSoft VFind', 'vfind',
    '--vexit {}/*', [0], [23], qr/##==>>>> VIRUS ID: CVDL (.+)/,
    # sub {$ENV{VSTK_HOME}='/usr/lib/vstk'},
    ],

    ### http://www.avast.com/
    ['avast! Antivirus', ['/usr/bin/avastcmd','avastcmd'],
    '-a -i -n -t=A {}', [0], [1], qr/\binfected by:\s+([^ \t\n\[\]]+)/ ],

    ### http://www.ikarus-software.com/
    ['Ikarus AntiVirus for Linux', 'ikarus',
    '{}', [0], [40], qr/Signature (.+) found/ ],

    ### http://www.bitdefender.com/
    ['BitDefender', 'bdc',
    '--arc --mail {}', qr/^Infected files *:0+(?!\d)/,
    qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
    qr/(?:suspected|infected): (.*)(?:\033|$)/ ],
    # consider also: --all --nowarn --alev=15 --flev=15. The --all argument may
    # not apply to your version of bdc, check documentation and see 'bdc --help'

    ### ArcaVir for Linux and Unix http://www.arcabit.pl/
    ['ArcaVir for Linux', ['arcacmd','arcacmd.static'],
    '-v 1 -summary 0 -s {}', [0], [1,2],
    qr/(?:VIR|WIR):[ \t]*(.+)/ ],

    # ['File::Scan', sub {Amavis::AV::ask_av(sub{
    # use File::Scan; my($fn)=@_;
    # my($f)=File::Scan->new(max_txt_size=>0, max_bin_size=>0);
    # my($vname) = $f->scan($fn);
    # $f->error ? (2,"Error: ".$f->error)
    # : ($vname ne '') ? (1,"$vname FOUND") : (0,"Clean")}, @_) },
    # ["{}/*"], [0], [1], qr/^(.*) FOUND$/ ],

    # ### fully-fledged checker for JPEG marker segments of invalid length
    # ['check-jpeg',
    # sub { use JpegTester (); Amavis::AV::ask_av(\&JpegTester::test_jpeg, @_) },
    # ["{}/*"], undef, [1], qr/^(bad jpeg: .*)$/ ],
    # # NOTE: place file JpegTester.pm somewhere where Perl can find it,
    # # for example in /usr/local/lib/perl5/site_perl

    );


    @av_scanners_backup = (

    ### http://www.clamav.net/ - backs up clamd or Mail::ClamAV
    ['ClamAV-clamscan', 'clamscan',
    "--stdout --no-summary -r --tempdir=$TEMPBASE {}",
    [0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],

    ### http://www.f-prot.com/ - backs up F-Prot Daemon
    ['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
    '-dumb -archive -packed {}', [0,8], [3,6], # or: [0], [3,6,8],
    qr/(?:Infection:|security risk named) (.+)|\s+contains\s+(.+)$/ ],

    ### http://www.trendmicro.com/ - backs up Trophie
    ['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
    '-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],

    ### http://www.sald.com/, http://drweb.imshop.de/ - backs up DrWebD
    ['drweb - DrWeb Antivirus', # security LHA hole in Dr.Web 4.33 and earlier
    ['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
    '-path={} -al -go -ot -cn -upn -ok-',
    [0,32], [1,9,33], qr' infected (?:with|by)(?: virus)? (.*)$'],

    ### http://www.kaspersky.com/
    ['Kaspersky Antivirus v5.5',
    ['/opt/kaspersky/kav4fs/bin/kav4fs-kavscanner',
    '/opt/kav/5.5/kav4unix/bin/kavscanner',
    '/opt/kav/5.5/kav4mailservers/bin/kavscanner', 'kavscanner'],
    '-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],
    qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/ ,
    # sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
    # sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
    ],

    # Commented out because the name 'sweep' clashes with Debian and FreeBSD
    # package/port of an audio editor. Make sure the correct 'sweep' is found
    # in the path when enabling.
    #
    # ### http://www.sophos.com/ - backs up Sophie or SAVI-Perl
    # ['Sophos Anti Virus (sweep)', 'sweep',
    # '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
    # '--no-reset-atime {}',
    # [0,2], qr/Virus .*? found/,
    # qr/^>>> Virus(?: fragment)? '?(.*?)'? found/,
    # ],
    # # other options to consider: -idedir=/usr/local/sav

    # always succeeds (uncomment to consider mail clean if all other scanners fail)
    # ['always-clean', sub {0}],

    );


    @bypass_virus_checks_maps = (
    \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

    @bypass_spam_checks_maps = (
    \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

    #
    # Database connection settings
    #

    @lookup_sql_dsn =
    ( ['DBI:mysql:database=dbispconfig;host=127.0.0.1;port=3306', 'ispconfig', '5c322862f383237c59362b1dfc95399a'] );

    # @storage_sql_dsn = @lookup_sql_dsn; # none, same, or separate database
    #$sql_select_policy = 'SELECT "Y" as local FROM mail_domain WHERE CONCAT("@",domain) IN (%k)';
    # $banned_files_quarantine_method = 'sql';
    # $spam_quarantine_method = 'sql';

    #
    # SQL Select statements
    #

    $sql_select_policy =
    'SELECT *,spamfilter_users.id'.
    ' FROM spamfilter_users LEFT JOIN spamfilter_policy ON spamfilter_users.policy_id=spamfilter_policy.id'.
    ' WHERE spamfilter_users.email IN (%k) ORDER BY spamfilter_users.priority DESC';


    $sql_select_white_black_list = 'SELECT wb FROM spamfilter_wblist'.
    ' WHERE (spamfilter_wblist.rid=?) AND (spamfilter_wblist.email IN (%k))' .
    ' ORDER BY spamfilter_wblist.priority DESC';

    #
    # Quarantine settings
    #

    $final_virus_destiny = D_BOUNCE;
    $final_spam_destiny = D_DISCARD;
    $final_banned_destiny = D_BOUNCE;
    $final_bad_header_destiny = D_PASS;

    #
    # Disable spam and virus notifications for the admin user.
    # Can be overridden by the policies in mysql
    #

    $virus_admin = undef;
    $spam_admin = undef;


    #
    # Enable Logging
    #

    $DO_SYSLOG = 1;
    $LOGFILE = "/var/log/amavis.log"; # (defaults to empty, no log)

    $log_level = 5; # (defaults to 0)


    1; # insure a defined return
     
  8. falko

    falko Super Moderator ISPConfig Developer

    What are the outputs of
    Code:
    ls -l /var/spool/amavisd/clamd.sock
    and
    Code:
    updatedb
    locate clamd.sock
    ?
     
  9. jariasca

    jariasca Member


    [root@mail ~]# ls -l /var/spool/amavisd/clamd.sock
    ls: /var/spool/amavisd/clamd.sock: No such file or directory

    [root@mail ~]# find / -name clamd.sock

    If I try to find the clamd.sock is not in my system

    [root@mail ~]# find / -name clamd.*
    /usr/share/doc/clamd-0.96/clamd.conf
    /usr/share/man/man5/clamd.conf.5.gz
    /usr/share/man/man8/clamd.8.gz
    /var/log/clamav/clamd.log
    /var/run/clamav/clamd.pid
    /etc/clamd.conf
    [root@mail ~]#

    thanks for the help.
     
  10. falko

    falko Super Moderator ISPConfig Developer

    Is clamd started?
     
  11. jariasca

    jariasca Member

    Hi Falko

    yes it is started

    [root@mail log]# service clamd status
    clamd (pid 4208) is running...
    [root@mail log]#

    Apr 19 08:21:41 mail pop3d: Connection, ip=[::ffff:216.25.164.14]
    Apr 19 08:21:41 mail pop3d: LOGIN, user=[email protected], ip=[::ffff:216.25.164.14], port=[52643]
    Apr 19 08:21:41 mail pop3d: LOGOUT, user=[email protected], ip=[::ffff:216.25.164.14], port=[52643], top=0, retr=0, rcvd=12, sent=39, time=0
    Apr 19 08:21:45 mail postfix/smtpd[30676]: connect from unknown[58.64.87.129]
    Apr 19 08:21:47 mail postfix/smtpd[30676]: 17F3414D0F3B: client=unknown[58.64.87.129]
    Apr 19 08:21:49 mail postfix/cleanup[31121]: 17F3414D0F3B: message-id=<[email protected]>
    Apr 19 08:21:49 mail postfix/qmgr[2752]: 17F3414D0F3B: from=<[email protected]>, size=9548, nrcpt=1 (queue active)
    Apr 19 08:21:49 mail amavis[29659]: (29659-10) (!!)WARN: all primary virus scanners failed, considering backups
    Apr 19 08:21:50 mail postfix/smtpd[30676]: disconnect from unknown[58.64.87.129]
    Apr 19 08:21:57 mail amavis[29659]: (29659-10) Blocked SPAM, [58.64.87.129] [58.64.87.129] <[email protected]> -> <[email protected]>, quarantine: spam-EsmTDthKJ3B1.gz, Message-ID: <[email protected]>, mail_id: EsmTDthKJ3B1, Hits: 14.809, size: 9533, 8196 ms
    Apr 19 14:21:57 mail postfix/smtp[31122]: 17F3414D0F3B: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=11, delays=3/0/0/8.2, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=29659-10, DISCARD(bounce.suppressed))
    Apr 19 08:21:57 mail postfix/qmgr[2752]: 17F3414D0F3B: removed
    Apr 19 08:22:12 mail postfix/smtpd[30676]: connect from localhost[127.0.0.1]
    Apr 19 08:22:12 mail postfix/smtpd[30676]: lost connection after CONNECT from localhost[127.0.0.1]
    Apr 19 08:22:12 mail postfix/smtpd[30676]: disconnect from localhost[127.0.0.1]
    Apr 19 08:22:15 mail pop3d: Connection, ip=[::ffff:216.25.164.14]
    Apr 19 08:22:15 mail pop3d: LOGIN, user=[email protected], ip=[::ffff:216.25.164.14], port=[52670]
    Apr 19 08:22:15 mail pop3d: LOGOUT, user=[email protected], ip=[::ffff:216.25.164.14], port=[52670], top=0, retr=0, rcvd=12, sent=39, time=0
    Apr 19 08:22:15 mail pop3d: Connection, ip=[::ffff:216.25.164.14]
    Apr 19 08:22:15 mail pop3d: LOGIN, user=[email protected], ip=[::ffff:216.25.164.14], port=[52673]
    Apr 19 08:22:15 mail pop3d: LOGOUT, user=[email protected], ip=[::ffff:216.25.164.14], port=[52673], top=0, retr=0, rcvd=12, sent=39, time=0
    Apr 19 08:22:15 mail postfix/smtpd[30676]: warning: 189.107.105.233: hostname 189107105233.user.veloxzone.com.br verification failed: Name or service not known
    Apr 19 08:22:15 mail postfix/smtpd[30676]: connect from unknown[189.107.105.233]
    Apr 19 08:22:16 mail postfix/smtpd[30676]: 1443814D0F3B: client=unknown[189.107.105.233]
    Apr 19 08:22:17 mail postfix/cleanup[31121]: 1443814D0F3B: message-id=<[email protected]>
    Apr 19 08:22:17 mail postfix/qmgr[2752]: 1443814D0F3B: from=<[email protected]>, size=8718, nrcpt=1 (queue active)
    Apr 19 08:22:17 mail amavis[31208]: (31208-01) (!!)WARN: all primary virus scanners failed, considering backups
    Apr 19 08:22:17 mail postfix/smtpd[30676]: disconnect from unknown[189.107.105.233]
    Apr 19 08:22:19 mail pop3d: Connection, ip=[::ffff:209.213.178.252]
    Apr 19 08:22:19 mail pop3d: Connection, ip=[::ffff:209.213.178.252]
    Apr 19 08:22:19 mail pop3d: LOGIN, user=[email protected], ip=[::ffff:209.213.178.252], port=[57800]
    Apr 19 08:22:19 mail pop3d: LOGIN, user=[email protected], ip=[::ffff:209.213.178.252], port=[57801]
    Apr 19 08:22:19 mail pop3d: LOGOUT, user=[email protected], ip=[::ffff:209.213.178.252], port=[57800], top=0, retr=0, rcvd=18, sent=69, time=0
    Apr 19 08:22:19 mail pop3d: LOGOUT, user=[email protected], ip=[::ffff:209.213.178.252], port=[57801], top=0, retr=0, rcvd=28, sent=91, time=0
    Apr 19 08:22:20 mail pop3d: Connection, ip=[::ffff:216.25.164.14]
    Apr 19 08:22:20 mail pop3d: Connection, ip=[::ffff:216.25.164.14]
    Apr 19 08:22:20 mail pop3d: LOGIN, user=[email protected], ip=[::ffff:216.25.164.14], port=[52682]
    Apr 19 08:22:20 mail pop3d: LOGIN, user=[email protected], ip=[::ffff:216.25.164.14], port=[52683]
     
  12. jariasca

    jariasca Member

    Hi Falko I can see I have a /etc/amavisd directory and inside I have the aamavisd.conf and I have another amavisd.conf in the /etc.

    So what I just did is to copy the one from amavisd directory to the etc
    and restarted the services.


    Now I'm getting this

    pr 19 08:44:09 mail amavis[32101]: (32101-03) lookup [banned_namepath_re] => undef, "P=p003\tL=1\tM=multipart/alternative\nP=p002\tL=1/2\tM=text/html\tT=html" does not match
    Apr 19 08:44:09 mail amavis[32101]: (32101-03) p.path [email protected]: "P=p003,L=1,M=multipart/alternative | P=p002,L=1/2,M=text/html,T=html"
    Apr 19 08:44:09 mail amavis[32101]: (32101-03) banned check: any=0, all=N (1)
    Apr 19 08:44:09 mail amavis[32101]: (32101-03) lookup_re("MAIL"), no matches
    Apr 19 08:44:09 mail amavis[32101]: (32101-03) lookup [keep_decoded_original] => undef, "MAIL" does not match
    Apr 19 08:44:09 mail amavis[32101]: (32101-03) Calling virus scanners, 2 files to scan in /var/spool/amavisd/tmp/amavis-20100419T083943-32101/parts
    Apr 19 08:44:09 mail amavis[32101]: (32101-03) run_av (ClamAV-clamd): query template(1,1): CONTSCAN {}\n
    Apr 19 08:44:09 mail amavis[32101]: (32101-03) prolong_timer run_av: timer set to 480 s
    Apr 19 08:44:09 mail amavis[32101]: (32101-03) prolong_timer run_av: timer set to 384 s
    Apr 19 08:44:09 mail amavis[32101]: (32101-03) ask_av Using (ClamAV-clamd): CONTSCAN /var/spool/amavisd/tmp/amavis-20100419T083943-32101/parts\n
    Apr 19 08:44:09 mail amavis[32101]: (32101-03) ask_daemon_internal: timer set to 10 s (was 384 s)
    Apr 19 08:44:09 mail amavis[32101]: (32101-03) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/tmp/amavis-20100419T083943-32101/parts\n to UNIX socket /var/spool/amavisd/clamd.sock
    Apr 19 08:44:09 mail amavis[32101]: (32101-03) prolong_timer ask_daemon_internal: timer set to 384 s
    Apr 19 08:44:09 mail amavis[32101]: (32101-03) ClamAV-clamd: Can't send to socket /var/spool/amavisd/clamd.sock: Transport endpoint is not connected, retrying (1)
    Apr 19 08:44:09 mail amavis[32101]: (32101-03) ClamAV-clamd: sleeping for 1 s
    Apr 19 08:44:09 mail postfix/smtpd[32171]: disconnect from unknown[93.86.145.251]
    Apr 19 08:44:10 mail amavis[32101]: (32101-03) ask_daemon_internal: timer set to 10 s (was 384 s)
    Apr 19 08:44:10 mail amavis[32101]: (32101-03) ClamAV-clamd: Connecting to socket /var/spool/amavisd/clamd.sock, retry #1
    Apr 19 08:44:10 mail amavis[32101]: (32101-03) creating socket by IO::Socket::UNIX to /var/spool/amavisd/clamd.sock
    Apr 19 08:44:10 mail amavis[32101]: (32101-03) prolong_timer ask_daemon_internal: timer set to 383 s
    Apr 19 08:44:10 mail amavis[32101]: (32101-03) (!)ClamAV-clamd: Can't connect to UNIX socket /var/spool/amavisd/clamd.sock: No such file or directory, retrying (2)


    Thanks
     
  13. jariasca

    jariasca Member

    I think I finally got it reading in google I got the answer to this error

    in amavisd.conf I change the deamon to var/run/clamav/clamd.ctl

    # ### http://www.clamav.net/
    ['ClamAV-clamd',
    #\&ask_daemon, ["CONTSCAN {}\n", "/var/spool/amavisd/clamd.sock"],
    \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],


    and in the clamd.conf I change the deamon to var/run/clamav/clamd.ctl

    # Path to a local socket file the daemon will listen on.
    # Default: disabled (must be specified by a user)
    #LocalSocket /tmp/clamd.socket
    LocalSocket /var/run/clamav/clamd.ctl

    now look at my log

    Apr 19 09:34:54 mail amavis[3073]: (03073-01) lookup_re("MAIL"), no matches
    Apr 19 09:34:54 mail amavis[3073]: (03073-01) lookup [keep_decoded_original] => undef, "MAIL" does not match
    Apr 19 09:34:54 mail amavis[3073]: (03073-01) Calling virus scanners, 2 files to scan in /var/spool/amavisd/tmp/amavis-20100419T093454-03073/parts
    Apr 19 09:34:54 mail amavis[3073]: (03073-01) run_av (ClamAV-clamd): query template(1,1): CONTSCAN {}\n
    Apr 19 09:34:54 mail amavis[3073]: (03073-01) prolong_timer run_av: timer set to 480 s
    Apr 19 09:34:54 mail amavis[3073]: (03073-01) prolong_timer run_av: timer set to 384 s
    Apr 19 09:34:54 mail amavis[3073]: (03073-01) ask_av Using (ClamAV-clamd): CONTSCAN /var/spool/amavisd/tmp/amavis-20100419T093454-03073/parts\n
    Apr 19 09:34:54 mail amavis[3073]: (03073-01) ask_daemon_internal: timer set to 10 s (was 384 s)
    Apr 19 09:34:54 mail amavis[3073]: (03073-01) ClamAV-clamd: Connecting to socket /var/run/clamav/clamd.ctl
    Apr 19 09:34:54 mail amavis[3073]: (03073-01) creating socket by IO::Socket::UNIX to /var/run/clamav/clamd.ctl
    Apr 19 09:34:54 mail amavis[3073]: (03073-01) ClamAV-clamd: Sending CONTSCAN /var/spool/amavisd/tmp/amavis-20100419T093454-03073/parts\n to UNIX socket /var/run/clamav/clamd.ctl
    Apr 19 09:34:54 mail amavis[3073]: (03073-01) prolong_timer ask_daemon_internal: timer set to 307 s
    Apr 19 09:34:55 mail amavis[3073]: (03073-01) prolong_timer ask_daemon_internal: timer set to 383 s
    Apr 19 09:34:55 mail amavis[3073]: (03073-01) prolong_timer ask_av: timer set to 479 s
    Apr 19 09:34:55 mail amavis[3073]: (03073-01) ask_av (ClamAV-clamd) result: /var/spool/amavisd/tmp/amavis-20100419T093454-03073/parts: OK\n
    Apr 19 09:34:55 mail amavis[3073]: (03073-01) run_av (ClamAV-clamd): CLEAN
    Apr 19 09:34:55 mail amavis[3073]: (03073-01) run_av (ClamAV-clamd) result: clean
    Apr 19 09:34:55 mail amavis[3073]: (03073-01) wbl: checking sender <[email protected]>
    Apr 19 09:34:55

    Thanks for the help I will monitor my log to see what happends.
     
  14. abrahamcardenas

    abrahamcardenas New Member

    clamav daemon

    sudo aptitude update
    sudo aptitude install clamav-daemon

    it is ready for me!
     

Share This Page