Awesome! Thanks for letting me know.
-- Michael D. Wood ITSecurityPros.org www.itsecuritypros.org From: Jayanta Ghosh [mailto:[email protected]] Sent: Friday, September 07, 2012 6:45 AM To: Michael D. Wood Subject: Re: Eicar Testing Dear Michael, Thank you for your response. I have uncommented the lines and now its working. Regards, Jayanta From: Michael D. Wood <mailto:[email protected]> Sent: Friday, September 07, 2012 3:40 PM To: 'Jayanta Ghosh' <mailto:[email protected]> Subject: RE: Eicar Testing I just looked at your amavisd.conf file…didn’t see it the first time J Find this: ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], yours is commented out…uncomment it and see what you get. -- Michael D. Wood ITSecurityPros.org www.itsecuritypros.org From: [email protected] [mailto:[email protected]] On Behalf Of Michael D. Wood Sent: Friday, September 07, 2012 6:01 AM To: 'Jayanta Ghosh'; [email protected] Subject: RE: Eicar Testing I just tested with mine to see if it would detect it from the body of the e-mail and indeed it does. This was done by placing the EICAR test string in the body of the e-mail. My setup is pretty much the same except I’m using dovecot. Things that are popping up in my head to check would be: /etc/amavis/conf.d/15-content_filter_mode ßmake sure amavis is set to use clamav and spamassasin (disabled by default) /etc/amavis/conf.d/15-av_scanners ßmake sure clamd is configured here, also check to make sure clamd is running ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"], qr/\bOK$/m, qr/\bFOUND$/m, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], Here is the e-mail alerting me that I had sent out the malicious e-mail: VIRUS ALERT Our content checker found virus: Eicar-Test-Signature in email presumably from you <[email protected]> to the following recipient: -> [email protected] Our internal reference code for your message is 13692-11/mMgsaVaBvzxz First upstream SMTP client IP address: [192.168.23.62] pfsense.xxxx.xxxx According to a 'Received:' trace, the message originated at: [192.168.23.62], michaellaptop pfsense.xxxxx.xxxxx [192.168.23.62] Authenticated sender: [email protected] Return-Path: <[email protected]> From: "Michael D. Wood" <[email protected]> Message-ID: <[email protected]> Delivery of the email was stopped! Please check your system for viruses, or ask your system administrator to do so. -- Michael D. Wood ITSecurityPros.org www.itsecuritypros.org From: [email protected] [mailto:[email protected]] On Behalf Of Jayanta Ghosh Sent: Friday, September 07, 2012 5:36 AM To: [email protected] Subject: Eicar Testing Dear List, I have configured a mail server on RHEL 6.1(64 Bit) with the following components:- 1. Postfix 2. Courier-authlib 3. Courier-imap 4. MySql 5. Maildrop 6. Spamassassin 7. Clamav 8. Amavis-new The mail server is functioning properly. But I was testing the functionality of Amavis-new & Clamav. I was testing this by sending the EICAR string. The issue is when I am sending the EICAR string in the body of the email the Amavis is not detecting any virus pattern in it and eventually the email is passed by Amavis. But when I am sending the same EICAR string as an attachment (A text file containing the string ) then the Amavis is blocking the mail from getting delivered. My query is do I need to change any of the settings in the clamd.conf or amavisd.conf file, So that the EICAR string written in the body of the email will be blocked by amavis. I am also attaching both the configuration herein. Kindly help. Regards, Jayanta
smime.p7s
Description: S/MIME cryptographic signature
