All Emails tagged as {VIRUS}

yuwang yuwang at cs.fsu.edu
Mon Apr 8 20:32:43 UTC 2019 

What's the runtime for 'time Mailscanner --lint'?

If you can, try Mark's suggestion and use clamd. I first used clamav and 
had performance issues, changed to clamd and everything has been fast 
since.

James

On 2019-04-08 16:11, Sebastiano Dante Alighieri wrote:
> it would appear that increasing
> 
> VIRUS SCANNER TIMEOUT = 600 (up from 300)
> 
> in MailScanner.conf, fixed it for me... at least for now.
> 
> Now, mail is being virus-scanned and delivered successfully without
> any misleading subject tags; Albeit at a seemingly slow rate (here's
> an excerpt from the maillog showing the processing times of two email
> messages)
> 
> Apr 8 14:45:12 MyHost MailScanner[185871]: Virus and Content Scanning:
> Starting
> 
> Apr 8 14:47:44 MyHost MailScanner[185871]: Virus Scanning completed at
> 911 bytes per second
> Apr 8 14:51:41 MyHost MailScanner[185871]: Virus Processing completed
> at 299259 bytes per second
> 
> Apr 8 14:46:35 MyHost MailScanner[182275]: Virus and Content Scanning:
> Starting
> Apr 8 14:49:05 MyHost MailScanner[182275]: Virus Scanning completed at
> 322 bytes per second
> 
> Apr 8 14:49:10 MyHost MailScanner[182275]: Virus Processing completed
> at 131233 bytes per second
> 
> process [185871] took a little over 6 minutes to complete at a rate of
> 299259 bytes/sec
> process [182275] took a little over 3 minutes to complete at a rate of
> 131233 bytes/sec
> 
> If we take process 185871 scanning at 299kbtes/sec taking a little
> over 6 minutes to complete - one might think at that rate, that a
> message of 100MB+ was scanned - but it's no where near that.
> 
> maybe it's I/O related... but i'm using a 256MB RAMDISK as the
> v-scanner's temp directory, here is the line from my fstab
> TMPFS /VAR/SPOOL/MAILSCANNER/INCOMING TMPFS RW,SIZE=256M 0 0
> 
> other thoughts
> 
> I don't get why the timeout has to be so high, is clamav wrapper
> method really that slow - is it a startup problem that would go away
> if i install and integrate with the clamd.socket (I know members have
> said this is preferable, just want to understand all aspects and why)
> or is there something else going awry?
> 
> Or
> 
> Why is a virus scan timeout automatically treated as a virus / denial
> of service attack - it seems to me that it should be configurable with
> something like this
> Virus Scanner Timeout Action = [detect|deliver|drop|etc]
> 
> thanks all for the support.
> 
> Best regards
> Sebastiano
> 
> On Sat, Apr 6, 2019 at 9:49 AM yuwang <yuwang at cs.fsu.edu> wrote:
> 
>> "Could not read file /usr/share/MailScanner/reports/en/stored.fi [1]
>> [2]
>>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856.
>>>> 
>>>> Error in line 1422, file
>>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for
>>>> storedfilenamemessage does not exist (or can not be read) at
>>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058."
>> 
>> The file should be
>> "/usr/share/MailScanner/reports/en/stored.filename.message.txt"
>> 
>> Your error message says /usr/share/MailScanner/reports/en/stored.fi
>> [1]
>> 
>> What is the output of command:
>> 
>> grep 'stored.fi [1]'
>> /usr/share/MailScanner/perl/MailScanner/ConfigDefs.pl
>> and
>> ls -l
>> /usr/share/MailScanner/reports/en/stored.filename.message.txt
>> 
>> James
>> 
>> On 2019-04-06 04:19, Sebastiano Dante Alighieri wrote:
>>> After I upgraded to the latest version, i get no mail; MailScanner
>>> Crashes continuously
>>> 
>>>> APR  6 04:12:23  MYHOST  MAILSCANNER[10890]: MAILSCANNER EMAIL
>>>> PROCESSOR VERSION 5.1.3 STARTING...
>>>> 
>>>> Apr  6 04:12:23  MyHost  MailScanner[10890]: Reading
>> configuration
>>>> file /etc/MailScanner/MailScanner.conf
>>>> 
>>>> Apr  6 04:12:23  MyHost  MailScanner[10890]: Reading
>> configuration
>>>> file /etc/MailScanner/conf.d/README
>>>> 
>>>> APR  6 04:12:23  MYHOST  MAILSCANNER[10890]: COULD NOT READ FILE
>>>> THEM.
>>>> 
>>>> APR  6 04:12:23  MYHOST  MAILSCANNER[10890]: ERROR IN LINE 1422,
>>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM."
>> FOR
>>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ)
>>>> 
>>>> Apr  6 04:12:24  MyHost  MailScanner[10890]: Read 1500 hostnames
>>>> from the phishing whitelist
>>>> 
>>>> Apr  6 04:12:24  MyHost  MailScanner[10890]: Read 16624 hostnames
>>>> from the phishing blacklists
>>>> 
>>>> Apr  6 04:12:24  MyHost  MailScanner[10890]: Using SpamAssassin
>>>> results cache
>>>> 
>>>> Apr  6 04:12:24  MyHost  MailScanner[10890]: Connected to
>>>> SpamAssassin cache database
>>>> 
>>>> Apr  6 04:12:25  MyHost  MailScanner[10890]: Enabling
>> SpamAssassin
>>>> auto-whitelist functionality...
>>>> 
>>>> Apr  6 04:12:27  MyHost  MailScanner[10885]: Auto: Found virus
>>>> scanners: clamav
>>>> 
>>>> Apr  6 04:12:27  MyHost  MailScanner[10885]: Connected to
>> Processing
>>>> Attempts Database
>>>> 
>>>> Apr  6 04:12:27  MyHost  MailScanner[10885]: Found 1 messages in
>> the
>>>> Processing Attempts Database
>>>> 
>>>> Apr  6 04:12:27  MyHost  MailScanner[10885]: Using locktype =
>> flock
>>>> 
>>>> APR  6 04:12:28  MYHOST  MAILSCANNER[10920]: MAILSCANNER EMAIL
>>>> PROCESSOR VERSION 5.1.3 STARTING...
>>>> 
>>>> Apr  6 04:12:28  MyHost  MailScanner[10920]: Reading
>> configuration
>>>> file /etc/MailScanner/MailScanner.conf
>>>> 
>>>> Apr  6 04:12:28  MyHost  MailScanner[10920]: Reading
>> configuration
>>>> file /etc/MailScanner/conf.d/README
>>>> 
>>>> Apr  6 04:12:28  MyHost  MailScanner[10920]: Could not read file
>>>> them.
>>>> 
>>>> APR  6 04:12:28  MYHOST  MAILSCANNER[10920]: ERROR IN LINE 1422,
>>>> FILE "/USR/SHARE/MAILSCANNER/REPORTS/EN/STORED.FI [2] [1] THEM."
>> FOR
>>>> STOREDFILENAMEMESSAGE DOES NOT EXIST (OR CAN NOT BE READ)
>>> 
>>> This goes on while there's a message to be processed in the db,
>> until
>>> it detects too many crashes and quarantines the message.
>>> 
>>> when a new message comes in, it starts all over again.
>>> 
>>> MAILSCANNER LINT OUTPUT
>>> 
>>>> Could not read file /usr/share/MailScanner/reports/en/stored.fi
>> [1] [2]
>>>> at /usr/share/MailScanner/perl/MailScanner/Config.pm line 2856.
>>>> 
>>>> Error in line 1422, file
>>>> "/usr/share/MailScanner/reports/en/stored.fi [1] [2] them." for
>>>> storedfilenamemessage does not exist (or can not be read) at
>>>> /usr/share/MailScanner/perl/MailScanner/Config.pm line 3058.
>>> 
>>> On Fri, Apr 5, 2019 at 8:31 PM yuwang <yuwang at cs.fsu.edu> wrote:
>>> 
>>>> My guess is clamav update issue. What happens when you
>> 'Mailscanner
>>>> Lint'? use strace to attach to clam process, use lsof to see open
>>>> files,
>>>> and turn on debug mode on clam might help too.
>>>> 
>>>> James
>>>> 
>>>> On 2019-04-05 19:03, Sebastiano Dante Alighieri wrote:
>>>>> Hi,
>>>>> 
>>>>> In the past couple of days my email is all coming in with the
>>>> subject
>>>>> line tagged as {VIRUS}. This is true for all mail, but of course
>>>>> there's no virus involved.
>>>>> 
>>>>> Mailscanner v5.0.7
>>>>> ClamAV v0.100.0
>>>>> 
>>>>>> ClamAV update process started at Fri Apr  5 18:41:07 2019
>>>>>> 
>>>>>> WARNING: Your ClamAV installation is OUTDATED!
>>>>>> 
>>>>>> WARNING: Local version: 0.100.0 Recommended version: 0.101.2
>>>>>> 
>>>>>> DON'T PANIC! Read
>>>> https://www.clamav.net/documents/upgrading-clamav
>>>>>> 
>>>>>> main.cvd is up to date (version: 58, sigs: 4566249, f-level:
>> 60,
>>>>>> builder: sigmgr)
>>>>>> 
>>>>>> daily.cld is up to date (version: 25410, sigs: 1552552,
>> f-level:
>>>> 63,
>>>>>> builder: raynman)
>>>>>> 
>>>>>> bytecode.cld is up to date (version: 328, sigs: 94, f-level:
>> 63,
>>>>>> builder: neo)
>>>>> 
>>>>> A review of /var/log/maillog suggests that there's a problem
>> with
>>>>> ClamAV
>>>>> 
>>>>>> Apr  5 18:31:22 myhost MailScanner[7448]: Virus and Content
>>>>>> Scanning: Starting
>>>>>> 
>>>>>> Apr  5 18:34:23 myhost MailScanner[7448]: AV ENGINE CLAMAV
>> TIMED
>>>> OUT
>>>>>> 
>>>>>> Apr  5 18:34:23 myhost MailScanner[7448]: CLAMAV: FAILED TO
>>>>>> COMPLETE, TIMED OUT
>>>>>> 
>>>>>> Apr  5 18:34:23 myhost MailScanner[7448]: VIRUS SCANNING:
>> DENIAL
>>>> OF
>>>>>> SERVICE ATTACK DETECTED!
>>>>> 
>>>>> I've tried to observe what is happening on the system, while
>> mail
>>>> is
>>>>> being scanned and what i can surmise is that clamscan is
>>>> timing-out
>>>>> (uses 100% CPU)
>>>>> 
>>>>> any pointers would be greatly appreciated. I have not been able
>> to
>>>>> find anything online.
>>>>> 
>>>>> I'll try upgrading to the latest and greatest MailScanner in the
>>>> mean
>>>>> time.
>>>>> 
>>>>> thanks
>>>>> Salighie
>>> 
>>> 
>>> Links:
>>> ------
>>> [1] http://stored.fi
>>> [2] http://stored.fi/
> 
> 
> Links:
> ------
> [1] http://stored.fi
> [2] http://STORED.FI

More information about the MailScanner mailing list