Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm running sendmail with a clamav-milter. It occasionally traps messages it thinks have viruses. Sometimes these are false positives. I know how to list messages in quarantine using `mailq -qQ`, but how to a I release messages from quarantine? For example, I have a message with ID uB5FBul2008123 - how to release that?
Also, since I'm running a clamav-milter, will releasing that message from the quarantine just end up getting it quarantined again by the milter?
I found this result with many of the quarantined messages. "Infected files: 0". So, why is the sendmail clamav-milter quarantining these messages, but a manually run clamscan finds no infection?
I found this result with many of the quarantined messages. "Infected files: 0". So, why is the sendmail clamav-milter quarantining these messages, but a manually run clamscan finds no infection?
I wouldn't trust clamav results. Unfortunately its virus database is not up to date, so most likely that .xlsm file is some sort of trojan. You can test it here to verify it yourself.
Now I don't know why the milter quarantines these messages, but I suspect a (mis)configuration problem.
As a side note, I noticed that your clamav installation is outdated (version 0.99.1 while the latest version is 0.99.2). Clamav always complains if it's not the latest version, but it continues to work nevertheless.
I wouldn't trust clamav results. Unfortunately its virus database is not up to date, so most likely that .xlsm file is some sort of trojan. You can test it here to verify it yourself.
Now I don't know why the milter quarantines these messages, but I suspect a (mis)configuration problem.
As a side note, I noticed that your clamav installation is outdated (version 0.99.1 while the latest version is 0.99.2). Clamav always complains if it's not the latest version, but it continues to work nevertheless.
I tried your link and it found no infections with the file I want to release; although clamav does find actually infected files. So, I guess I need to look at updating clamav, and otherwise figure out why I get these false-positives.
Meanwhile, your suggested sendmail -qIuB7F5MYw026072 apparently did nothing. I also tried sendmail -t -i </var/spool/mqueue/dfuB7F5MYw026072 per other suggestions I found.
I read somewhere that quarantined items have a different prefix on the header file, possible "hf" instead of "qf" or something like that. I could try simply renaming the file. Before I try that, any thoughts/cautions?
LATER ...
I tried renaming hfuB7F5MYw026072 to qfuB7F5MYw026072. That removed it from the mailq -qQ list, but didn't cause the message to get delivered. Eventually, the dfuB7F5MYw026072 file got deleted from /var/spool/mqueue, but the qf... file remained. In /var/log/maillog I got:
Code:
Dec 14 01:18:58 mail sm-mta[21234]: uB7F5MYw026072: uBE6IwVa021234: DSN: Cannot send message for 5 days
Dec 14 01:18:59 mail sm-mta[21234]: uBE6IwVa021234: to=<mbrady@sender.org>, delay=00:00:01, mailer=esmtp, pri=412819, quarantine=quarantined by clamav-milter, stat=quarantined
So, I suppose the sender is going to get that rejection message. Would it have worked if the message was not more than 5 days old?
Last edited by mfoley; 12-14-2016 at 12:25 AM.
Reason: Update
I tried your link and it found no infections with the file I want to release; although clamav does find actually infected files.
That's good to know. As I've told you, unless it's from a known sender, all mail I get with attachments like doc(x), xls(m) and various other MS Office files are all trojans when checked at the link above. And unfortunately clamav does not detect even one of them!
Quote:
So, I guess I need to look at updating clamav, and otherwise figure out why I get these false-positives.
Updating clamav just stops the message "Your clamav installation is outdated..." when running it. The virus definition database is still the same, so the virus detection is not affected.
Quote:
Meanwhile, your suggested sendmail -qIuB7F5MYw026072 apparently did nothing. I also tried sendmail -t -i </var/spool/mqueue/dfuB7F5MYw026072 per other suggestions I found.
I read somewhere that quarantined items have a different prefix on the header file, possible "hf" instead of "qf" or something like that. I could try simply renaming the file. Before I try that, any thoughts/cautions?
LATER ...
I tried renaming hfuB7F5MYw026072 to qfuB7F5MYw026072. That removed it from the mailq -qQ list, but didn't cause the message to get delivered. Eventually, the dfuB7F5MYw026072 file got deleted from /var/spool/mqueue, but the qf... file remained. In /var/log/maillog I got:
Dec 14 01:18:58 mail sm-mta[21234]: uB7F5MYw026072: uBE6IwVa021234: DSN: Cannot send message for 5 days
Dec 14 01:18:59 mail sm-mta[21234]: uBE6IwVa021234: to=<mbrady@sender.org>, delay=00:00:01, mailer=esmtp, pri=412819, quarantine=quarantined by clamav-milter, stat=quarantined
So, I suppose the sender is going to get that rejection message. Would it have worked if the message was not more than 5 days old?
I didn't knew that quarantine mails in mqueue have a different prefix.
You may use the following to dequarantine a message:
Also, I guess you've seen this post, so most likely if your rename hf.. to qf while keeping the df.. (body) in the same mqueue directory, then running "sendmail -qIu.." should do the job.
That's good to know. As I've told you, unless it's from a known sender, all mail I get with attachments like doc(x), xls(m) and various other MS Office files are all trojans when checked at the link above. And unfortunately clamav does not detect even one of them!
Well, clamav is detecting quite a lot of these here.
Quote:
I didn't knew that quarantine mails in mqueue have a different prefix.
You may use the following to dequarantine a message:
That turned out very badly! the command sendmail -qQ -QSmbrady@sender.org -Q unquarrantined ALL the quarantined messages! I'll have to make sure the users don't open them. In looking at the link you referenced, the syntax shown there is sendmail -qQ -qSmbrady@sender.org -Q - lower case 'q' in '-qS', not '-QS'. I'll remove the bad messages from the users' folders, restore the quarantine queue and try again with the correct syntax -- after business hours this time!
Quote:
Also, I guess you've seen this post, so most likely if your rename hf.. to qf while keeping the df.. (body) in the same mqueue directory, then running "sendmail -qIu.." should do the job.
No, that didn't work at all. In fact it generated more quarantine entries periodically so there were about 20 more quarantined messages when I checked the next day.
That turned out very badly! the command sendmail -qQ -QSmbrady@sender.org -Q unquarrantined ALL the quarantined messages! I'll have to make sure the users don't open them. In looking at the link you referenced, the syntax shown there is sendmail -qQ -qSmbrady@sender.org -Q - lower case 'q' in '-qS', not '-QS'.
My bad. Sorry for the typo.
Anyway, I think that on the same way you can also use qR.. or qI.. to select the messages to dequarantine by recipient or message-id.
My bad. Sorry for the typo.
Anyway, I think that on the same way you can also use qR.. or qI.. to select the messages to dequarantine by recipient or message-id.
The qS did work. I'll try qI next time.
I'm still getting confusing results. When I run clamscan manually on most of the messages in the quarantine queue it shows no infections. So why are they getting quarantined? When I look at the clamd.log I see a number of messages like:
fd[10]: Heuristics.OLE2.ContainsMacros FOUND
The number of messages in the clamd.log corresponds to the number of messages quarantined, so I assume these are being quarantined because of the respective .doc[x] attachment having macros. This might be OK, but why does the clamav-milter/clamd find this and commandline clamscan does not? Are they looking at different config files? Neither the clamd rc file nor the manual clamscan are specifying config overrides. clamd should be using the default of /usr/local/etc/clamd.conf. clamscan's man page does not mention a config file. Does that mean it uses clamd's or nothing?
Log file entries are Microsoft-like in their usefulness. No timestamp, no info about the message or attachment that was found "infected" ... even though I have "LogVerbose yes" in clamd.conf. I'm turning on ExtendedDetectionInfo; we'll see if that helps.
Still, how do I get clamscan to give the same results as clamd? Adding --scan-ole2=yes to the clamscan command doesn't help.
Still, how do I get clamscan to give the same results as clamd? Adding --scan-ole2=yes to the clamscan command doesn't help.
That's what I've told in my 1st answer. Unfortunately clamav database is not up to date, so it does not detect most of the new viruses/trojans etc.
You can run:
Code:
clamdscan virus-file.docx
to verify that clamd is not working also.
Quote:
When I look at the clamd.log I see a number of messages like:
fd[10]: Heuristics.OLE2.ContainsMacros FOUND
The number of messages in the clamd.log corresponds to the number of messages quarantined, so I assume these are being quarantined because of the respective .doc[x] attachment having macros. This might be OK, but why does the clamav-milter/clamd find this and commandline clamscan does not? Are they looking at different config files? Neither the clamd rc file nor the manual clamscan are specifying config overrides. clamd should be using the default of /usr/local/etc/clamd.conf. clamscan's man page does not mention a config file. Does that mean it uses clamd's or nothing?
I do not know why the milter quarantines them, but I guess that those detected are already in the clamav db. You can use the link I gave you to verify it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.