Re: adding AV scanning to working Postfix/SA system
> What, specifically, is the config you're using to invoke CLAMAVPlugin? > > You need to have at least two things set up in your spamassassin config > files: > 1) load the plugin in a "v*.pre" > 2) invoke the check_clamav() procedure > > EG: > in v320.pre > > # AntiVirus - some simple anti-virus checks, this is not a replacement > # for an anti-virus filter like Clam AntiVirus > # > #loadplugin Mail::SpamAssassin::Plugin::AntiVirus > # > loadplugin ClamAV /usr/local/etc/mail/spamassassin/plugins/clamav.pm > > Note that line depends on the path to where you've installed the plugin > > In a ".cf" rules file (I call mine clamav.cf ): > As a check, I commented out the loadplugin line for ClamvAV, did systemctl restart spamd.service and systemctl restart clamd.service (which take a good 40 seconds to complete, while spamd restarts almost instantly. using spamassassin -t < testfile.eml, it still reports ClamAV found a virus and names it. (eica) S, I have no idea how the plugin is loading. I have not found any other .pre files loading it. Dunno if this may help - SpamAssassin version 3.4.2 running on Perl version 5.26.1 joea
Re: adding AV scanning to working Postfix/SA system
> Am 03.12.20 um 03:00 schrieb Joe Acquisto-j4: On Wed, 02 Dec 2020 19:38:22 -0500 >>> Joe Acquisto-j4 wrote: >>> Malware is not being detected in the test form >>> >>> Just to be clear, do you have EICAR as an attached .com file? >> >> I thought so, but it appears not. has a form >> that has both "clean" a eicar.com attachment selected and I assumed >> both would be sent. And perhaps they were and one got stripped off >> at the provider. >> >> Right now am having a difficult time getting my provider >> to allow even the EICAR file through their system. They want to help >> but seem stymied by some issue. >> >> Telnet from a local machine may be my next effort > > seriously? > > just save the mail from the drafts folder, move the eml file to the > server and run spamassassin as the correct user > > spamassassin -t < sample.eml Dude! >From what it output to the screen, it appears to have worked. A snippet for your amusement: -- Spam detection software, running on the system "auxilary", has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see ad...@j4computers.com for details. Content preview: heller Content analysis details: (8.1 points, 5.0 required) pts rule name description -- -- -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.] -0.0 NO_RELAYS Informational: message was not relayed via SMTP 10 CLAMAV Clam AntiVirus detected a virus [Win.Test.EICAR_HDB-1] -0.0 NO_RECEIVEDInformational: message has no Received headers 0.0 BODY_SINGLE_WORD Message body is only one word (no spaces) - Did not deliver the message anywhere that I could see, but I guess that is expected. I know I can find documents somewhere . . . Thanks.
Re: adding AV scanning to working Postfix/SA system
> On Wed, 02 Dec 2020 19:38:22 -0500 > Joe Acquisto-j4 wrote: > >> Malware is not being detected in the test form > > Just to be clear, do you have EICAR as an attached .com file? I thought so, but it appears not. has a form that has both "clean" a eicar.com attachment selected and I assumed both would be sent. And perhaps they were and one got stripped off at the provider. Right now am having a difficult time getting my provider to allow even the EICAR file through their system. They want to help but seem stymied by some issue. Telnet from a local machine may be my next effort. joe a.
Re: adding AV scanning to working Postfix/SA system
On Wed, 02 Dec 2020 19:38:22 -0500 Joe Acquisto-j4 wrote: > Malware is not being detected in the test form Just to be clear, do you have EICAR as an attached .com file?
Re: adding AV scanning to working Postfix/SA system
Malware is not being detected in the test form -- Return-path: Received: from aux.a.com ([192.168.0.xx1]) by mail with ESMTP; Wed, 02 Dec 2020 19:30:16 -0500 Received: by aux.a.com (Postfix, from userid 1004) id 1D0F729D74; Wed, 2 Dec 2020 19:30:16 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on auxilary X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Spam-Report: * -1.5 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] Received: from auxilary (localhost [127.0.0.1]) by aux.a.com (Postfix) with ESMTP id 853C029D72 Might verbose or debug level loggin be of any help? Not seeing anything different when I tail /var/log/mail. joe a.
Re: adding AV scanning to working Postfix/SA system
> On Wed, 2 Dec 2020, Tom Hendrikx wrote: > >> >> >> On 02-12-2020 16:18, Joe Acquisto-j4 wrote: X-Spam-Virus: _CLAMAVRESULT >> >> I never integrated Clam using this plugin, but this seems a config typo to >> be: there should be a Yes/No in there, and optionally a virus name. >> > > Yes, it looks like he's got a type-o in there. The config line should be: > "add_header spam Clamav _CLAMAVRESULT_" > in a .cf someplace. > Then the plugin will add that 'X-Spam-Virus:' header with the text "Yes" > followed by the name of the virus detected. > > You can then use the value of that header in other rules to add points for > various kinds of things detected or "meta"ed with other rules. > > Is this normal, to show disable like that? :~ # systemctl status clamd.service clamd.service - Clamav antivirus Deamon Loaded: loaded (/usr/lib/systemd/system/clamd.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2020-12-02 10:57:33 EST; 3h 33min ago Process: 8000 ExecStart=/usr/sbin/clamd (code=exited, status=0/SUCCESS) Main PID: 8002 (clamd) Tasks: 2 (limit: 4915) CGroup: /system.slice/clamd.service └─8002 /usr/sbin/clamd I did systemcrl enable clamd.service, it created a symlink, restarted services and . . .none of that did it. Then I looked over the clamv.cf again and noticed the missing training underscore "add_header all Virus _CLAMAVRESULT_" At least is now says "No" for supposedly non infected messages. Thanks for the assistance. joe a
Re: adding AV scanning to working Postfix/SA system
>On Wed, 2 Dec 2020, Tom Hendrikx wrote: > >> >> >> On 02-12-2020 16:18, Joe Acquisto-j4 wrote: X-Spam-Virus: _CLAMAVRESULT >> >> I never integrated Clam using this plugin, but this seems a config typo to >> be: there should be a Yes/No in there, and optionally a virus name. >> > > Yes, it looks like he's got a type-o in there. The config line should be: > "add_header spam Clamav _CLAMAVRESULT_" > in a .cf someplace. > Then the plugin will add that 'X-Spam-Virus:' header with the text "Yes" > followed by the name of the virus detected. > > You can then use the value of that header in other rules to add points for > various kinds of things detected or "meta"ed with other rules. > > > This is clamd.cf: -- loadplugin ClamAV clamav.pm full CLAMAV eval:check_clamav() describe CLAMAV Clam AntiVirus detected a virus score CLAMAV 10 add_header all Virus _CLAMAVRESULT ---
Re: adding AV scanning to working Postfix/SA system
>>> > On Wed, 2 Dec 2020, Joe Acquisto-j4 wrote: > >> Hacking away, seem to have it working?, Using CLAMAVPlugin. At least mail >> does not appear "broken". >> >> But EICAR is not detected. I "think" it is being scanned as I see this: >> >> * >> X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on auxilary >> X-Spam-Level: * >> X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_00,FREEMAIL_FROM, >> HTML_MESSAGE,SPOOFED_FREEMAIL_NO_RDNS,TVD_SPACE_RATIO autolearn=no >> autolearn_force=no version=3.4.2 >> X-Spam-Virus: _CLAMAVRESULT >> X-Spam-Report: >> * -1.5 BAYES_00 BODY: Bayes spam probability is 0 to 1% >> * [score: 0.] >> * 1.0 FREEMAIL_FROM Sender email is commonly abused enduser mail >> * provider (joe.acquisto[at]gmail.com) >> * 0.0 HTML_MESSAGE BODY: HTML included in message >> * 0.0 TVD_SPACE_RATIO No description available. >> * 1.5 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS >> * >> >> Is that proof it is being scanned and the non detection issue lies > elsewhere? >> >> joe a. > > What, specifically, is the config you're using to invoke CLAMAVPlugin? I followed using some guess work, the blurb I found on the spamassassin site where I found CLAMVPlugin. Not reall clear for a slowing noob. I had to look up how to compile the required perl package, which went without fuss, copied and pasted the "config" files noted, only adding read rights (for root) as something complained about no access and edited the "socket" path to what CLAMD claims it uses. And restarted spamd and clamd. That's it. > You need to have at least two things set up in your spamassassin config > files: > 1) load the plugin in a "v*.pre" > 2) invoke the check_clamav() procedure > > EG: > in v320.pre > > # AntiVirus - some simple anti-virus checks, this is not a replacement > # for an anti-virus filter like Clam AntiVirus > # > #loadplugin Mail::SpamAssassin::Plugin::AntiVirus > # > loadplugin ClamAV /usr/local/etc/mail/spamassassin/plugins/clamav.pm > > Note that line depends on the path to where you've installed the plugin > > In a ".cf" rules file (I call mine clamav.cf ): > > # > # config file for using the ClamAV plugin "clamav.pm" > # > full L_CLAMAV eval:check_clamav() > describe L_CLAMAV Clam AntiVirus detected a virus > score L_CLAMAV 5 > # > header T__MY_CLAMAV X-Spam-Virus =~ /Yes/i > header T__MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i > # > > I was wondering at how the "magic" happened. Found this in v.310.pre, no other references to clam found in the pre files or local.cf.: # AntiVirus - some simple anti-virus checks, this is not a replacement # for an anti-virus filter like Clam AntiVirus # #loadplugin Mail::SpamAssassin::Plugin::AntiVirus # AWL - do auto-whitelist checks # #loadplugin Mail::SpamAssassin::Plugin::AWL # AntiVirus - some simple anti-virus checks, this is not a replacement # for an anti-virus filter like Clam AntiVirus # #loadplugin Mail::SpamAssassin::Plugin::AntiVirus # AWL - do auto-whitelist checks # #loadplugin Mail::SpamAssassin::Plugin::AWL
Re: adding AV scanning to working Postfix/SA system
On Wed, 2 Dec 2020, Joe Acquisto-j4 wrote: Hacking away, seem to have it working?, Using CLAMAVPlugin. At least mail does not appear "broken". But EICAR is not detected. I "think" it is being scanned as I see this: * X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on auxilary X-Spam-Level: * X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_00,FREEMAIL_FROM, HTML_MESSAGE,SPOOFED_FREEMAIL_NO_RDNS,TVD_SPACE_RATIO autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: _CLAMAVRESULT X-Spam-Report: * -1.5 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] * 1.0 FREEMAIL_FROM Sender email is commonly abused enduser mail * provider (joe.acquisto[at]gmail.com) * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 TVD_SPACE_RATIO No description available. * 1.5 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS * Is that proof it is being scanned and the non detection issue lies elsewhere? joe a. What, specifically, is the config you're using to invoke CLAMAVPlugin? You need to have at least two things set up in your spamassassin config files: 1) load the plugin in a "v*.pre" 2) invoke the check_clamav() procedure EG: in v320.pre # AntiVirus - some simple anti-virus checks, this is not a replacement # for an anti-virus filter like Clam AntiVirus # #loadplugin Mail::SpamAssassin::Plugin::AntiVirus # loadplugin ClamAV /usr/local/etc/mail/spamassassin/plugins/clamav.pm Note that line depends on the path to where you've installed the plugin In a ".cf" rules file (I call mine clamav.cf ): # # config file for using the ClamAV plugin "clamav.pm" # full L_CLAMAV eval:check_clamav() describe L_CLAMAV Clam AntiVirus detected a virus score L_CLAMAV 5 # header T__MY_CLAMAV X-Spam-Virus =~ /Yes/i header T__MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i # -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: adding AV scanning to working Postfix/SA system
On Wed, 2 Dec 2020, Tom Hendrikx wrote: On 02-12-2020 16:18, Joe Acquisto-j4 wrote: X-Spam-Virus: _CLAMAVRESULT I never integrated Clam using this plugin, but this seems a config typo to be: there should be a Yes/No in there, and optionally a virus name. Yes, it looks like he's got a type-o in there. The config line should be: "add_header spam Clamav _CLAMAVRESULT_" in a .cf someplace. Then the plugin will add that 'X-Spam-Virus:' header with the text "Yes" followed by the name of the virus detected. You can then use the value of that header in other rules to add points for various kinds of things detected or "meta"ed with other rules. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: adding AV scanning to working Postfix/SA system
On 02-12-2020 16:18, Joe Acquisto-j4 wrote: X-Spam-Virus: _CLAMAVRESULT I never integrated Clam using this plugin, but this seems a config typo to be: there should be a Yes/No in there, and optionally a virus name. Kind regards, Tom
Re: adding AV scanning to working Postfix/SA system
>> Am 23.11.20 um 17:37 schrieb Joe Acquisto-j4: So, beyond "experiences" any leads on generic "how to" guides that actually >> work in >>> practice? I've found a few, rather than chase geese, I'm sure some here >> have done >>> similar things, even if with other AV scanners >> >> http://www.postfix.org/MILTER_README.html >> https://sanesecurity.com/ >> > . . . > > I decided to pursue CLAMAV as it seems to be well maintained and lots of > "links for dummies" turned up. > > After installing CLAMAV, as supplied in the openSuse distribution, updating > virus sigs I attempted to begin > configuring per some of the how to's. > > Most are years old, have links that lead nowhere, call out config files that > do not exist (as installed above), > or refer to "clamd sockets" that cannot be found. > > I feel sure this is old hat to more experienced souls, but, for me, this has > been far more frustrating than I > anticipated. > > At this point, not even sure what I actually need as, as noted, there seem > to be myriad ways to approach a > solution. Obviously prefer the simplest method. > > Subscribed just now to CLAMAV users list and should probably pursue this > over there. But any tutoring and > or "there there" pats on the head would not be snarled at. Hacking away, seem to have it working?, Using CLAMAVPlugin. At least mail does not appear "broken". But EICAR is not detected. I "think" it is being scanned as I see this: * X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on auxilary X-Spam-Level: * X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_00,FREEMAIL_FROM, HTML_MESSAGE,SPOOFED_FREEMAIL_NO_RDNS,TVD_SPACE_RATIO autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: _CLAMAVRESULT X-Spam-Report: * -1.5 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.] * 1.0 FREEMAIL_FROM Sender email is commonly abused enduser mail * provider (joe.acquisto[at]gmail.com) * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 TVD_SPACE_RATIO No description available. * 1.5 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS * Is that proof it is being scanned and the non detection issue lies elsewhere? joe a.
Re: adding AV scanning to working Postfix/SA system
> Am 23.11.20 um 17:37 schrieb Joe Acquisto-j4: >> So, beyond "experiences" any leads on generic "how to" guides that actually > work in >> practice? I've found a few, rather than chase geese, I'm sure some here > have done >> similar things, even if with other AV scanners > > http://www.postfix.org/MILTER_README.html > https://sanesecurity.com/ > . . . I decided to pursue CLAMAV as it seems to be well maintained and lots of "links for dummies" turned up. After installing CLAMAV, as supplied in the openSuse distribution, updating virus sigs I attempted to begin configuring per some of the how to's. Most are years old, have links that lead nowhere, call out config files that do not exist (as installed above), or refer to "clamd sockets" that cannot be found. I feel sure this is old hat to more experienced souls, but, for me, this has been far more frustrating than I anticipated. At this point, not even sure what I actually need as, as noted, there seem to be myriad ways to approach a solution. Obviously prefer the simplest method. Subscribed just now to CLAMAV users list and should probably pursue this over there. But any tutoring and or "there there" pats on the head would not be snarled at.
Re: adding AV scanning to working Postfix/SA system
Il 19/11/20 00:43, Joe Acquisto-j4 ha scritto: SOHO system, on virtual machines. Fairly recent versions. Running openSUSE Leap 15.1. Due to some recent malware (obvious stuff) wanted to add AV scanning. I gather "Amavis-new" is the hot ticket these days, I deal with Sophos products and would like to use their linux product to do the scanning. Seems to be precious little on how to do that. Any experiences? You can try with MessageSniffer: https://www.armresearch.com/ Is an antispam/antivirus engine that can run on Linux and have a plugin for Spamassassin. I'm using it, works quite well at the right price. -- Alessio Cecchi Postmaster @ http://www.qboxmail.it https://www.linkedin.com/in/alessice
Re: adding AV scanning to working Postfix/SA system
On 11/30/20 7:00 PM, Joe Acquisto-j4 wrote: On 11/24/20 12:40 PM, Axb wrote: Fuglu supports Sophos AV See fuglu.org Sophos recently discontinued their support for SAVI on Linux. They now only support "Server Central Intercept X Advanced" which is an entirely different product. I would also be interested in newer/supported AV alternatives. Regards, Dave Where did you hear this? I was just informed it will continue until 2023 at least. The "Free" version is no longer available, apparently, but the "endpoint" product is still there for paying customers. Directly from my contact there - it was labeled end-of-sale this past July. It has an end-of-life date of July 2023. Support will continue to support that solution until then, but they will no longer offer new subscriptions to customers. Regards, Dave joe a. - j4computers, llc Stone Ridge, NY 12484 845-687-3734 www.j4computers.com -
Re: adding AV scanning to working Postfix/SA system
> > On 11/24/20 12:40 PM, Axb wrote: >> Fuglu supports Sophos AV >> See fuglu.org > > Sophos recently discontinued their support for SAVI on Linux. They now > only support "Server Central Intercept X Advanced" which is an entirely > different product. > > I would also be interested in newer/supported AV alternatives. > > Regards, > Dave > Where did you hear this? I was just informed it will continue until 2023 at least. The "Free" version is no longer available, apparently, but the "endpoint" product is still there for paying customers. joe a. - j4computers, llc Stone Ridge, NY 12484 845-687-3734 www.j4computers.com -
Re: adding AV scanning to working Postfix/SA system
>> > On 11/24/20 12:40 PM, Axb wrote: >> Fuglu supports Sophos AV >> See fuglu.org > > Sophos recently discontinued their support for SAVI on Linux. They now > only support "Server Central Intercept X Advanced" which is an entirely > different product. > > I would also be interested in newer/supported AV alternatives. > > Regards, > Dave > Well, that's a fine how do ya do. Eh, this was more an "exercise" project anyway. I suppose almost any scanner with reasonable updating capability will do fine. - j4computers, llc Stone Ridge, NY 12484 845-687-3734 www.j4computers.com -
Re: adding AV scanning to working Postfix/SA system
On 11/24/20 12:40 PM, Axb wrote: Fuglu supports Sophos AV See fuglu.org Sophos recently discontinued their support for SAVI on Linux. They now only support "Server Central Intercept X Advanced" which is an entirely different product. I would also be interested in newer/supported AV alternatives. Regards, Dave On 11/23/20 5:37 PM, Joe Acquisto-j4 wrote: So, beyond "experiences" any leads on generic "how to" guides that actually work in practice? I've found a few, rather than chase geese, I'm sure some here have done similar things, even if with other AV scanners. SOHO system, on virtual machines. Fairly recent versions. Running openSUSE Leap 15.1. Due to some recent malware (obvious stuff) wanted to add AV scanning. I gather "Amavis-new" is the hot ticket these days, I deal with Sophos products and would like to use their linux product to do the scanning. Seems to be precious little on how to do that. Any experiences? - j4computers, llc Stone Ridge, NY 12484 845-687-3734 www.j4computers.com -
Re: adding AV scanning to working Postfix/SA system
Fuglu supports Sophos AV See fuglu.org On 11/23/20 5:37 PM, Joe Acquisto-j4 wrote: So, beyond "experiences" any leads on generic "how to" guides that actually work in practice? I've found a few, rather than chase geese, I'm sure some here have done similar things, even if with other AV scanners. SOHO system, on virtual machines. Fairly recent versions. Running openSUSE Leap 15.1. Due to some recent malware (obvious stuff) wanted to add AV scanning. I gather "Amavis-new" is the hot ticket these days, I deal with Sophos products and would like to use their linux product to do the scanning. Seems to be precious little on how to do that. Any experiences? - j4computers, llc Stone Ridge, NY 12484 845-687-3734 www.j4computers.com -
Re: adding AV scanning to working Postfix/SA system
On 23 Nov 2020, at 11:37, Joe Acquisto-j4 wrote: So, beyond "experiences" any leads on generic "how to" guides that actually work in practice? I've found a few, rather than chase geese, I'm sure some here have done similar things, even if with other AV scanners. Well, I've used MIMEDefang with ClamAV on both Sendmail and Postfix, but that's a bit afield from Amavis & Sophos. With both MD and Amavis, it seems like turning on Sophos scanning is just a config switch and for MD, picking where in the filter() block to call out to Sophos. I would hope that buying a license from Sophos would come with some sort of integration documentation and/or tooling from them. SOHO system, on virtual machines. Fairly recent versions. Running openSUSE Leap 15.1. Due to some recent malware (obvious stuff) wanted to add AV scanning. I gather "Amavis-new" is the hot ticket these days, I deal with Sophos products and would like to use their linux product to do the scanning. Seems to be precious little on how to do that. Any experiences? - j4computers, llc Stone Ridge, NY 12484 845-687-3734 www.j4computers.com - -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: adding AV scanning to working Postfix/SA system
So, beyond "experiences" any leads on generic "how to" guides that actually work in practice? I've found a few, rather than chase geese, I'm sure some here have done similar things, even if with other AV scanners. > SOHO system, on virtual machines. Fairly recent versions. Running openSUSE > Leap 15.1. > > Due to some recent malware (obvious stuff) wanted to add AV scanning. I > gather "Amavis-new" is the hot ticket these days, > > I deal with Sophos products and would like to use their linux product to do > the scanning. Seems to be precious little on how to do that. > > Any experiences? > > - j4computers, llc Stone Ridge, NY 12484 845-687-3734 www.j4computers.com -
adding AV scanning to working Postfix/SA system
SOHO system, on virtual machines. Fairly recent versions. Running openSUSE Leap 15.1. Due to some recent malware (obvious stuff) wanted to add AV scanning. I gather "Amavis-new" is the hot ticket these days, I deal with Sophos products and would like to use their linux product to do the scanning. Seems to be precious little on how to do that. Any experiences? - j4computers, llc Stone Ridge, NY 12484 845-687-3734 www.j4computers.com -