Discussion:
ClamAV via Amavis and logs?
(too old to reply)
@lbutlr
2016-05-21 20:21:25 UTC
Permalink
I have amavisd running clamav, but nothing from clamav appears in any logs.

The only thing I do see is lines like this:

May 21 13:57:29 mail amavis[89288]: (89288-01) Passed SPAM {RelayedTaggedInbound,RelayedOpenRelay,Quarantined}, [127.0.0.1] [96.84.245.98] <***@eflyermarketing.com> -> <*munged*@covisp.net>,<bcc*munged*>, quarantine: spam-HQ5gUZA4rXw5.gz, Message-ID: <***@eflyermarketing.com>, mail_id: HQ5gUZA4rXw5, Hits: 12.244, size: 7392, queued_as: 3rBwZK26fmzpL6q/3rBwZK2BmyzpLTW, 4180 ms

And an ever-expanding archive of quarantined emails in /var/virusemails/

Is there anyway to enable some more logging? Should I be doing anything with the quarantine other than hanging on to the messages for a while in case something is an FP?
--
I'm Luke Skywalker, I'm here to rescue you.
Patrick Ben Koetter
2016-05-21 20:32:37 UTC
Permalink
Post by @lbutlr
I have amavisd running clamav, but nothing from clamav appears in any logs.
And an ever-expanding archive of quarantined emails in /var/virusemails/
Is there anyway to enable some more logging? Should I be doing anything with the quarantine other than hanging on to the messages for a while in case something is an FP?
clamav has its own independent logging. You can control it in clamd.conf. None
of that makes it into amavis.

***@rick
--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
@lbutlr
2016-05-22 01:40:37 UTC
Permalink
Post by Patrick Ben Koetter
clamav has its own independent logging. You can control it in clamd.conf. None
of that makes it into amavis.
It does not appear that any information about specific messages and tests gets logged to the clamd.log file though. All it contains is lines telling me the database status is OK and the occasional message that the signatures were reloaded without error.
--
'It is always useful to face an enemy who is prepared to die for his
country,' he read. 'This means that both you and he have exactly the
same aim in mind.'
Patrick Ben Koetter
2016-05-22 06:13:29 UTC
Permalink
Post by @lbutlr
Post by Patrick Ben Koetter
clamav has its own independent logging. You can control it in clamd.conf. None
of that makes it into amavis.
It does not appear that any information about specific messages and tests gets logged to the clamd.log file though. All it contains is lines telling me the database status is OK and the occasional message that the signatures were reloaded without error.
It's been a while I ran clamd in debug mode. Have you had a look at that log
level? This *might* give more insight, but I am not sure.

***@rick
--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Andy Howell
2016-05-22 17:59:20 UTC
Permalink
Post by @lbutlr
Post by Patrick Ben Koetter
clamav has its own independent logging. You can control it in clamd.conf. None
of that makes it into amavis.
It does not appear that any information about specific messages and tests gets logged to the clamd.log file though. All it contains is lines telling me the database status is OK and the occasional message that the signatures were reloaded without error.
I'd like to know the same thing. I just added the sanescurity clamav
signatures. It drastically cut down on my spam, BUT, with very little
going to my spam folder, I'm worried I might be missing valid mail.

I tried turning on the logging, but it does not tell me much. I was
getting several hundred spams a day, now its less than 100.

Andy
Olivier
2016-05-23 04:55:36 UTC
Permalink
Sorry for jumping late in the wagon, but it had been a long week-end.
Post by @lbutlr
I have amavisd running clamav, but nothing from clamav appears in any
logs.
In syslog I see:

May 23 08:58:38 mail amavis[10877]: (10877-13) run_av (ClamAV-clamd):
/var/amavis/tmp/amavis-20160523T065350-10877-3d9eFTpE/parts INFECTED:
SecuriteInfo.com.Spam-661.UNOFFICIAL

May 23 08:58:38 mail amavis[10877]: (10877-13) Blocked INFECTED
(SecuriteInfo.com.Spam-661.UNOFFICIAL) {DiscardedInbound,Quarantined},
[207.8.97.163]:57506 [207.8.97.163]
<***@pmta403.dedicated.bmsend.com> ->
<someone>, quarantine: virus/ZYPWG9Ii7OD4, Queue-ID: 9C9ABD7882,
Message-ID: <***@pmta401.dedicated.bmsend.com>, mail_id:
ZYPWG9Ii7OD4, Hits: -, size: 45913,
dkim_sd=bmdeda:pmta403.dedicated.bmsend.com, 1374 ms

May 23 08:58:38 mail postfix/smtp[12834]: 9C9ABD7882:
to=<someone>, relay=localhost[127.0.0.1]:10024, delay=2.5,
delays=1.1/0.05/0.02/1.4, dsn=2.7.0, status=sent (250 2.7.0 Ok,
discarded, id=10877-13 - INFECTED: SecuriteInfo.com.Spam-661.UNOFFICIAL)

3 log messages for one single piece of email... It may come to the way
you interface ClaAV in amavis, and whether you collect the data returned
by ClamAV or not.

What i have is:

['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.sock"],
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

where the last line is (from the doc):

# 6. a regexp (to be matched against scanner output), returning a list
# of virus names found, or a sub ref, returning such a list when given
# scanner output as argument;

This call from amavis to ClamAv is the stock one, nothing fancy that I'd
have modified myself.

Olivier
Post by @lbutlr
And an ever-expanding archive of quarantined emails in /var/virusemails/
Is there anyway to enable some more logging? Should I be doing anything with the quarantine other than hanging on to the messages for a while in case something is an FP?
--

Loading...