This is somewhat of an odd issue, and I'm not sure "whose fault" it is. After digging through Procmail configurations and trying to understand your Perl code for about two hours now :), it seems that ClamAV has some problems, and due to the way VMin is using it, it fails to scan emails properly, hence I'm inclined to label this as a bug - even though VMin is probably not the culprit, and I'm a bit stumped that I did not notice this earlier.
Anyway, I have a freshly installed Ubuntu 10.04 and am testing scanning emails for spam and viruses. Spam scanning works all okay, so Procmail is set up properly and all. Virus scanning is properly set up as well, all the settings are okay, the Procmail config file looks good.
Test emails containing EICAR though get through all untouched. After checking various options multiple times and suspecting Procmail of not calling the virus scanner, my investigation results boil down to an independant strange behavior of clamdscan: it fails to recognize viruses in streaming mode.
I created a file /tmp/test containing the EICAR signature. When I do clamdscan /tmp/test, it correctly reports the file as infected.
But when I do cat /tmp/test | clamdscan -, which is - as far as I understand your code - analogous to the way that clam-wrapper.pl calls the scanner, it does not recognize the file as infected.
clamdscan -V says:
ClamAV 0.96.3/12210/Fri Nov 5 16:06:13 2010
Any insight on this with the info so far?
Comments
Submitted by Locutus on Fri, 11/05/2010 - 14:53 Comment #1
Another piece of information that might help:
On another machine of mine, the streaming mode clamdscan works all okay.
The difference between the two is: The one with the working scanner is a 64-bit Ubuntu, the one with the failure is 32-bit.
Submitted by JamieCameron on Fri, 11/05/2010 - 15:13 Comment #2
I presume that when you using
clamdscanyou haveclamdrunning?If so, what gets logged to its log file
/var/log/clamav/clamav.logwhen you try a scan?Also, has clamd been restarted recently? It may be that it is somehow using an old virus DB..
Submitted by Locutus on Fri, 11/05/2010 - 16:16 Comment #3
Thanks for reply, Jamie! :)
Yepp, clamd is running okay. The call to clamdscan does not report any errors as well, the connection seems to be okay. It's just that clamd does not recognize the virus.
Concerning logs, on the machine where it does work, this line gets logged:
Fri Nov 5 22:08:37 2010 -> stream: Eicar-Test-Signature(69630e4574ec6798239b091cda43dca0:69) FOUNDOn the "fail" machine... Nothing in the log. Odd as it may sound.
I restarted the service and also the whole box, yeah. Lemme see about virus DB... Here, this is what the "fail" machine logs upon service startup:
Looks fine to me... Also, thing is that the EICAR does get detected when I use the "filename" syntax (otherwise I'd totally agree that the ClamAV is damaged somehow), just not when I use the "stream" syntax. And that only on 32-bit. Really odd.
Do you maybe know about a "debug mode" for ClamAV, getting it log a little more info about what it does/receives?
Submitted by JamieCameron on Fri, 11/05/2010 - 16:24 Comment #4
Try out the
LogVerboseline in/etc/clamav/clamd.confSeems like a ClamAV bug if scanning doesn't work in streaming mode.
Submitted by Locutus on Fri, 11/05/2010 - 16:30 Comment #5
Yeah, I agree... I turned on
LogVerbose, still no useful text in syslog or clamav.log.Okay, I'll have dinner now and later I'm gonna install a totally fresh Ubuntu/VMin on another 32 bit VM, to make sure it's not some configuration I already made. If the issue persists then, I suppose we can inform the ClamAV people about it. :)
Meanwhile, if it turns out necessary, a viable workaround in VMin might be saving the email to a file and using the file mode syntax of clamdscan.
Submitted by JamieCameron on Fri, 11/05/2010 - 16:32 Comment #6
I'd prefer to avoid saving the mail to a file, as that runs into issues with disk quotas and temp file storage. Currently using clamdscan - works nicely, because procmail can feed the email directly into it..
Submitted by Locutus on Fri, 11/05/2010 - 17:56 Comment #7
Yeah, I agree there...
I just did the test as announced. I installed a vanilla Ubuntu 10.04 32-bit. Selected only SSHD and Samba in the installer. Updated all packages to latest versions using Aptitude. Rebooted, downloaded VMin install script. Installed it, performed the first-start wizard. Have it load libraries, spamd, clamd and MySQL into memory.
Then, without any further configuration, tested the same as before, with the same result:
Seems a serious bug in ClamAV.
Submitted by JamieCameron on Fri, 11/05/2010 - 18:39 Comment #8
Could you email that file to me at jcameron@virtualmin.com , or attach it to this bug?
Submitted by Locutus on Fri, 11/05/2010 - 18:46 Comment #9
You mean my "tmp/test" test subject?
Certainly... I simply pasted the EICAR virus scanner test signature in there. You can retrieve the fresh-from-the-source version here: http://www.eicar.org/download/eicar.com.txt
An interesting fact about this "test virus" is that the text consists of nothing but valid and printable ASCII characters, but still constitutes a valid 16-bit DOS .com application. :) On DOS emulators, or Windows OSes before Vista (where Microsoft dropped com support), you can execute that thing and it will print the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE" (which is also readable in the text line), to the console window.
The program is completely harmless, but all virus scanners out there will flag it as infected, for testing purposes if the scanner works.
Submitted by JamieCameron on Fri, 11/05/2010 - 18:57 Comment #10
So I tested this fine on my Fedora 9 box with ClamAV 0.96, and a virus file with the contents from that eicar.com.txt URL was correctly identified by clamdscan in streaming and file modes..
Submitted by Locutus on Fri, 11/05/2010 - 19:07 Comment #11
This is really an odd one. It must have something to do with the communication between clamdscan and clamd under Ubuntu 32-bit.
One test (I performed some more here) yielded an error message:
Also, when I use
clamscaninstead ofclamdscan, the EICAR is detected correctly also in streaming mode.Submitted by JamieCameron on Fri, 11/05/2010 - 19:10 Comment #12
I think you will need to ask either the ClamAV developers or Ubuntu about this one .. there isn't really much we can do.
Submitted by Locutus on Fri, 11/05/2010 - 19:19 Comment #13
I think I found something.
In
/etc/clamav/clamd.confthere is an option namedStreamMaxLength. According to the man page, its default is 10 megabytes. That's also what the file on my 64-bit Ubuntu shows.On the 32-bit test version though, that parameter is set to zero!
After setting it to "10M", clamdscan works just as expected. Now, how the heck did this option get set to "0" on the 32-bit Ubuntu...
Does the VMin installer have any influence on that? Or does it just use default parameters for ClamAV installation?
Submitted by Locutus on Fri, 11/05/2010 - 19:58 Comment #14
Okay, this is odd once more. I just purged and re-installed the ClamAV packages on both test systems (32 and 64 bit), and the default setting for
StreamMaxSizeindeed appears to be "0". Consequently, after the re-install, clamdscan in streaming mode does not work on both systems.I'm 99.9% sure though that the setting was at "10M" for the 64 bit system before. So, something must have configured it so at some point.
Okay, I think this can be closed for now. I'll investigate further to find out which process it was that set the correct entry in the clamd.conf. :)
Submitted by JamieCameron on Fri, 11/05/2010 - 20:45 Comment #15
Virtualmin certainly doesn't set that option .. in fact I never even knew about it!