ClamAV not identifying viruses

[blessendor]

Hm, my Antivirus don't finding any viruse.
I send through zimbra test email with file eicar.zip and zimbra do not block it.
When I try to send it outbound over my frontend relay (exim+clamav) - my message is blocked by ClamAV.

said: 550
ClamAV found a virus: Eicar-Test-Signature (in reply to end of DATA
command)

zmprov gs `zmhostname` zimbraServiceEnabled
# *****
zimbraServiceEnabled: antivirus
zimbraServiceEnabled: logger
zimbraServiceEnabled: mailbox
zimbraServiceEnabled: memcached
zimbraServiceEnabled: mta
zimbraServiceEnabled: stats
zimbraServiceEnabled: snmp
zimbraServiceEnabled: ldap
zimbraServiceEnabled: spell

[uxbod]

Please check /var/log/zimbra.log for any error messages.

[blessendor]

Jan 15 10:17:07 zimbra postfix/error[23191]: 007526C81A8: to=<user@domain.tld>, relay=none, delay=59231, delays=59230/0.17/0/0.09, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)

But this is error dated when my Antivirus was disabled as service. After then I enabled It and sent own test with ecair.

So, what I must check now?

[uxbod]

Code:

su - zimbra
zmcontrol status

Would you also send a eicar test again and post what happens from /var/log/zimbra.log.

[blessendor]

After running zmclamdctl start
antivirus Running
ldap Running
logger Running
mailbox Running
memcached Running
mta Running
snmp Running
spell Running
stats Running

I forward my virus test and received eicar file as is.

In log I have not saw any error about connection with amavis, but look at info about starting ClamAV:

Jan 15 11:57:49 zimbra clamd[21524]: clamd daemon 0.95.3-broken-compiler (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Jan 15 11:57:49 zimbra clamd[21524]: Log file size limited to 20971520 bytes.
Jan 15 11:57:49 zimbra clamd[21524]: Reading databases from /opt/zimbra/data/clamav/db
Jan 15 11:57:49 zimbra clamd[21524]: Not loading PUA signatures.
Jan 15 11:57:51 zimbra clamd[21524]: Loaded 662464 signatures.
Jan 15 11:57:52 zimbra clamd[21524]: TCP: Bound to port 3310
Jan 15 11:57:52 zimbra clamd[21524]: TCP: Setting connection queue length to 15
Jan 15 11:57:52 zimbra clamd[21770]: Limits: Global size limit set to 15360000 bytes.
Jan 15 11:57:52 zimbra clamd[21770]: Limits: File size limit set to 15360000 bytes.
Jan 15 11:57:52 zimbra clamd[21770]: Limits: Recursion level limit set to 16.
Jan 15 11:57:52 zimbra clamd[21770]: Limits: Files limit set to 10000.
Jan 15 11:57:52 zimbra clamd[21770]: Archive support enabled.
Jan 15 11:57:52 zimbra clamd[21770]: Archive: Blocking encrypted archives.
Jan 15 11:57:52 zimbra clamd[21770]: Algorithmic detection enabled.
Jan 15 11:57:52 zimbra clamd[21770]: Portable Executable support enabled.
Jan 15 11:57:52 zimbra clamd[21770]: ELF support enabled.
Jan 15 11:57:52 zimbra clamd[21770]: Mail files support enabled.
Jan 15 11:57:52 zimbra clamd[21770]: OLE2 support enabled.
Jan 15 11:57:52 zimbra clamd[21770]: PDF support enabled.
Jan 15 11:57:52 zimbra clamd[21770]: HTML support enabled.
Jan 15 11:57:52 zimbra clamd[21770]: Self checking every 600 seconds.
====

also my zimbra.log have more error like this (but I think this is only web interface warnings):

Jan 15 12:04:25 zimbra saslauthd[6478]: zmpost: url='https://zimbrahostFQDN:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="5832"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_40affb60a64 195d79e8a5e9c6d70e8433c9aa072_69643d33363a34316261 373365392d333665382d346662632d626337352d3866373433 386439303366363b6578703d31333a31323633373232363635 3135353b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>beach</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''

[blessendor]

New logged errors detected:

Jan 15 10:17:07 zimbra postfix/error[23191]: DED576C800B: to=<some-address>, relay=none, delay=59292, delays=59292/0.11/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
Jan 15 10:17:07 zimbra postfix/error[23191]: DED576C800B: to=<some-address>, relay=none, delay=59292, delays=59292/0.11/0/0.08, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
Jan 15 10:17:07 zimbra postfix/error[23194]: D25B46C81CB: to=<some-address>, relay=none, delay=59181, delays=59181/0.16/0/0.05, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
J

> zmcontrol status

antivirus Running
ldap Running
logger Running
mailbox Running
memcached Running
mta Running
snmp Running
spell Running
stats Running

[uxbod]

Please post the SMTP transaction when you sent through the eicar test file. Need to see all the information from zimbra.log for when the email comes in, passes through amavis, and then is injected back into Postfix.

[blessendor]

Wow, I trying now to send a new test and it was successful!

VIRUS ALERT

Our content checker found
virus: Eicar-Test-Signature

in an email to you from probably faked sender:
?@[192.168.10.61]
claiming to be: <my-address>

Content type: Virus
Our internal reference code for your message is 27965-05/rTYr0gHSB6pY

First upstream SMTP client IP address: [192.168.10.61]
FQDN-host-zimbra
According to a 'Received:' trace, the message apparently originated at:
[192.168.10.61], FQDN FQDN
[192.168.10.61]

Return-Path: <my-address>
From: Name <my-address>
Message-ID:
<1842583602.1740.1263552014343.JavaMail.root@fqd n>
X-Mailer: Zimbra 6.0.4_GA_2038.SLES11_64 (ZimbraWebClient - FF3.0
(Linux)/6.0.4_GA_2038.SLES11_64)
Subject: virus debuggin
The message has been quarantined as: virus-rTYr0gHSB6pY

Please contact your system administrator for details.

[uxbod]

Excellent .. I presume you are not getting messages about deferred emails now ?

[blessendor]

New test trace with zipped twice eicar:

Jan 15 12:49:02 zimbra amavis[27962]: (27962-07) Checking: Nvh0MmKNmNyd MYNETS [192.168.10.61] <groupname@FQDN> -> <groupuser1@FQDN>,<groupuser2@FQDN>,<groupuser3@FQ DN>
Jan 15 12:49:02 zimbra amavis[27962]: (27962-07) local delivery: <> -> virus-quarantine, mbx=/opt/zimbra/data/amavisd/quarantine/virus-Nvh0MmKNmNyd
Jan 15 12:49:02 zimbra postfix/cleanup[21234]: 692A76C819F: message-id=<VANvh0MmKNmNyd@FQDN>
Jan 15 12:49:02 zimbra postfix/cleanup[23601]: 7A8386C81A0: message-id=<VRNvh0MmKNmNyd@FQDN>
Jan 15 12:49:02 zimbra postfix/cleanup[21234]: 8F6CB6C81A1: message-id=<VRNvh0MmKNmNyd@FQDN>
Jan 15 12:49:02 zimbra postfix/cleanup[23601]: A9E2F6C819F: message-id=<VRNvh0MmKNmNyd@FQDN>
Jan 15 12:49:02 zimbra amavis[27962]: (27962-07) Blocked INFECTED (Eicar-Test-Signature), MYNETS LOCAL [192.168.10.61] [192.168.10.61] <groupname@FQDN> -> <groupuser1@FQDN>,<groupuser2@FQDN>,<groupuser3@FQ DN>, quarantine: virus-Nvh0MmKNmNyd, Message-ID: <873499934.1792.1263552541757.JavaMail.root@FQDN >, mail_id: Nvh0MmKNmNyd, Hits: -, size: 2522, 761 ms


No deferred, all is ok!

Hm, but why user, which sent virus, don't receive virus alert too?