Amavis will not check new clamav signatures

Discussion in 'Installation/Configuration' started by Pay87, Mar 24, 2016.

  1. Pay87

    Pay87 New Member

    Hi! I set up a "perfect Ubuntu server with nginx". After getting a lot of spam I tried to tune the clamav detection. I loaded the newest unofficial signatures by sanesecurity.com . They where all placed in /var/lib/clamav. I then tuned the user config in /etc/amavis/conf.d/50-user of clamav by adding:

    $bypass_decode_parts = 1;

    and also I tried to add:
    @keep_decoded_original_maps = (new_RE(
    qr’^MAIL$’, # retain full original message for virus checking
    qr’^MAIL-UNDECIPHERABLE$’, # recheck full mail if it contains undecipherables
    qr’^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)’i,
    ));

    Then I tried to test the new signatures:
    sanesecurity.com/support/signature-testing/

    But this does not work, emails still come to inbox and also mail log shows a amavis entry which tells the mails is "clean". I tried to restart server/services too a lot of times, and the eicar test file amavis detects, so normal signatures work...

    I also tried adding this to /etc/amavis/conf.d/50-user

    @virus_name_to_spam_score_maps =
    (new_RE( # the order matters!
    [ qr'^Structured\.(SSN|CreditCardNumber)\b' => 0.1 ],
    [ qr'^(Heuristics\.)?Phishing\.' => 0.1 ],
    [ qr'^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)' => 0.1 ],
    [ qr'^Sanesecurity\.(Malware|Badmacro|Foxhole|Rogue|Trojan)\.' => undef ],# keep as infected
    [ qr'^Sanesecurity\.' => 0.1 ],
    [ qr'^Sanesecurity.TestSig_' => 0 ],
    [ qr'^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.' => 0 ],
    [ qr'^BofhlandMW\.' => undef ],# keep as infected
    [ qr'^Bofhland\.Malware\.' => undef ],# keep as infected
    [ qr'^Bofhland\.' => 0.1 ],
    [ qr'^winnow.malware\.' => undef ],# keep as infected
    [ qr'^winnow\_' => 0.1 ],
    [ qr'^PhishTank\.Phishing\.' => 0.1 ],
    [ qr'^Porcupine\.Malware\.' => undef ],# keep as infected
    [ qr'^Porcupine\.' => 0.1 ],
    [ qr'^Email\.Spammail\b' => 0.1 ],
    [ qr'^Safebrowsing\.' => 0.1 ],
    [ qr'^winnow\.(phish|spam)\.' => 0.1 ],
    [ qr'^ScamNailer\.' => 0.1 ],
    ));

    But no luck yet. Any ideas how to get the signatures working? I get a lot of spam. About 30-50 virus a day.. :(
     
  2. ztk.me

    ztk.me Active Member

    Have you checked your /var/log/clamav/ files? Tried enableing verbose logging in clamav?
    Did you enable PUA aswell?
    Amavis just calls clamav - and if you feel the signature detection is not working, you might want to check wether amavis calls clamav and clamav is doing it's job.

    Also keep in mind that freshclam daemon might download new signatures and overwrites manually copied ones.
     
  3. Pay87

    Pay87 New Member

    Hey ztk.me, thanks for your help.

    Since the Eicar testfile gets detected by amavis (mail log shows detection) clamav should work fine. I doubled checked that I activated spam check in ispconfig, too for that account. And also the "bypass options" in the amavis user config to detect virus and spam is enabled correctly.

    I think freshclam will only overwrite the official signatures? I see all the sanesecurity files in the signature folder or do they have to get merged into the main files somehow? I thought putting them into the signature folder is enough and clamav will load all signatures from that folder automatically.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you restart clamav and amavis?
     
  5. ztk.me

    ztk.me Active Member

    If you use different signature file names it should be fine, yes.
    Have you checked clamav log if it had issues loading the additional files?
    The Eicar test should work with base clamav signatures, this is not indicating your 3rd party signatures are in the correct directory or clamav was able to load them.
    Except from a missing reload of clamav / amavis this is the only issue I could think of.
     
  6. Jesse Norell

    Jesse Norell Active Member

    Ensure clamd.conf has OfficialDatabaseOnly set to false.
     
    ztk.me likes this.
  7. Pay87

    Pay87 New Member

    Yes I did a restart of all the services, but I didn't checked clam log yet. I will do so and report. Also I didn't check if OfficialDatabaseOnly is false. Thank you! :)
     

Share This Page