Manually Scanning for Viruses

[cyberdeath]

Hello everyone,

Recently, we have been hit with a large amount of viruses that have not been detected by clam. However, they are now reported. So, would it be possible to rescan the entire message database overnight with clam? That is: /opt/store.

I want to get rid of any residual viruses that got past our filter because people are still opening week-old emails and getting infected.

Here's what I found when I ran the following:

Code:

./clamscan -r -i -d /opt/zimbra/data/clamav/db /opt/zimbra/store/*

Here's a snippet of what was found:

Code:

/opt/zimbra/store/0/17/msg/3/13127-17639.msg: Email.Phishing.RB-3469 FOUND
/opt/zimbra/store/0/17/msg/3/12961-17451.msg: Email.Phishing.RB-3469 FOUND
/opt/zimbra/store/0/17/msg/3/13687-18288.msg: Trojan.Downloader.Agent-1297 FOUND
/opt/zimbra/store/0/17/msg/3/12776-17248.msg: Email.Phishing.Bank-72 FOUND
/opt/zimbra/store/0/17/msg/3/13757-18365.msg: Trojan.Downloader.Agent-1298 FOUND
/opt/zimbra/store/0/17/msg/3/13235-17757.msg: Trojan.Agent-57252 FOUND

Would it cause corruption if I had clamscan just remove the infected messages? Anyone have experience with this?

One other question: Does anyone know how to find out what virus definitions that clam is using to scan the incoming emails with?
When I type zmclamdctl status, it gives no output.

One additional thing to note: I upgraded to 0.94.1 and pointed the symlink "clamav" to the directory that I placed in /opt/zimbra.

[cyberdeath]

I went and checked to see today how the anti-virus software was doing and it's rarely detecting a virus. I know without a doubt the number of viruses has increased yet it's detecting less. I know that I upgraded to the new Clam version thinking that would solve the problem. But, it has not. Anyone have any suggestions or insight on this? I would greatly appreciate it.

[uxbod]

You could look at integrating a commercial AV scanner aswell into AmavisD. I would also recommend that you look at these third party signatures for Clam :- SaneSecurity

[cyberdeath]

Well, I have considered that as well. But, I'm a bit curious as to why ClamAV isn't doing it's job. I've never had this problem before until recently. What prompted me was when I noticed that the database wasn't updating for whatever reason. That's when I upgraded the version of ClamAV. Would there be any reason why it would just stop updating? Also, upgrading ClamAV using the wiki should not cause any problems when upgrading zimbra later or with it properly scanning for viruses.

And, finally, here's my big question. Can I scan and remove the messages (.msg files) that contain malware? In other words, would that cause db/mbox corruption? Is there a way I should tackle this?

Thanks for the advice thus far .

[cyberdeath]

Hello everyone,

I know this is drudging up an old thread; however, I actually answered my own question by writing my own code to accomplish this. I wanted to share it in case others could benefit from it. See below for a simple script that scans the mail store and removes any infected messages (this is a manual process that must be run either through SSH, a cron job, or something similar). I didn't throw in a bunch of variables so if your store is NOT in ~/store/0/ (as zimbra user) or if something doesn't match your particular configuration, then you will need to modify/adjust script as necessary.

This script will automatically bypass the virus store db (since we know there are viruses there) and any archive accounts assuming they end in .archive (just in case...users shouldn't have access anyway). It will also output the results to stdout (console screen, log file, etc).

I placed the following code in a file called virusremovestore.sh (give it +x with chmod) and in a particular folder where I keep all my scripts (e.g. you could mkdir cyberdeath in /opt/zimbra and place the file in there). You are free to place it wherever you'd like so long as it is accessible by the zimbra user.

Code:

#!/bin/bash

old_IFS=$IFS

echo "Freshening up the anti-virus definitions"

/opt/zimbra/clamav/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.conf

echo "Scanning Mail Store for Viruses"

~/clamav/bin/clamscan --database ~/data/clamav/db/ --recursive=yes --infected ~/store/0/ | while IFS=/ read root opt zimbra store messagestore storeid msg folder messageid virusname found
do
  uid=`mysql -NBe "select comment from zimbra.mailbox where id='$storeid'"`
  msgid=`echo $messageid | cut -d'-' -f1`
  if [[ "$uid" == *.archive ]]; then
        echo "Archive: Did not remove message $msgid from $uid"
  elif [[ "$uid" == *virus*quarantine* ]]; then
        echo "Skipping message $msgid in virus quarantine"
  else
        zmmailbox -z -m $uid dm $msgid
        echo "Found and removed infected message $msgid from $uid"
  fi
done

IFS=$old_IFS

On a final note, I wanted to mention that I still haven't implemented a new anti-virus solution that will directly integrate with Zimbra. However, I have spoken with a couple A/V vendors who say they are compatible with postfix (Symantec & Kaspersky).

If you have any questions or comments, please feel free.

[uxbod]

On a final note, I wanted to mention that I still haven't implemented a new anti-virus solution that will directly integrate with Zimbra. However, I have spoken with a couple A/V vendors who say they are compatible with postfix (Symantec & Kaspersky).

Why not check AmaVISD and see which additional AV scanners it supports ?

[cyberdeath]

Why not check AmaVISD and see which additional AV scanners it supports ?

Hi uxbod,

I should have mentioned I used amavisd to find some of the supported vendors. However, I reached out to some of them and either I never got a response or they wanted to sell me an appliance (ahem...ProofPoint). But I'm not a fan of appliances, especially email ones.

Those were the two companies that have returned my request with a "yes we have postfix support" thus far. But I actually sent the snippet of code from amavisd.conf to a couple resellers. I would encourage anyone looking for a solution to do that as well. Thanks for pointing that out :-).

[ccelis5215]

Hello everyone,

I know this is drudging up an old thread; however, I actually answered my own question by writing my own code to accomplish this. I wanted to share it in case others could benefit from it. See below for a simple script that scans the mail store and removes any infected messages (this is a manual process that must be run either through SSH, a cron job, or something similar). I didn't throw in a bunch of variables so if your store is NOT in ~/store/0/ (as zimbra user) or if something doesn't match your particular configuration, then you will need to modify/adjust script as necessary.

This script will automatically bypass the virus store db (since we know there are viruses there) and any archive accounts assuming they end in .archive (just in case...users shouldn't have access anyway). It will also output the results to stdout (console screen, log file, etc).

I placed the following code in a file called virusremovestore.sh (give it +x with chmod) and in a particular folder where I keep all my scripts (e.g. you could mkdir cyberdeath in /opt/zimbra and place the file in there). You are free to place it wherever you'd like so long as it is accessible by the zimbra user.

Code:

#!/bin/bash

old_IFS=$IFS

echo "Freshening up the anti-virus definitions"

/opt/zimbra/clamav/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.conf

echo "Scanning Mail Store for Viruses"

~/clamav/bin/clamscan --database ~/data/clamav/db/ --recursive=yes --infected ~/store/0/ | while IFS=/ read root opt zimbra store messagestore storeid msg folder messageid virusname found
do
  uid=`mysql -NBe "select comment from zimbra.mailbox where id='$storeid'"`
  msgid=`echo $messageid | cut -d'-' -f1`
  if [[ "$uid" == *.archive ]]; then
        echo "Archive: Did not remove message $msgid from $uid"
  elif [[ "$uid" == *virus*quarantine* ]]; then
        echo "Skipping message $msgid in virus quarantine"
  else
        zmmailbox -z -m $uid dm $msgid
        echo "Found and removed infected message $msgid from $uid"
  fi
done

IFS=$old_IFS

On a final note, I wanted to mention that I still haven't implemented a new anti-virus solution that will directly integrate with Zimbra. However, I have spoken with a couple A/V vendors who say they are compatible with postfix (Symantec & Kaspersky).

If you have any questions or comments, please feel free.

Hello cyberdeath,

A nice script, it just works!

Thanks.

ccelis