Virus not blocked in archive mailbox

[tvtsg]

I am evaluating a multi-server install of Zimbra ZCS 7.12 and have everything working fairly well, except for this one annoying issue. If an incoming message is found to have a virus, or has a password encrypted zip attachment, the message is blocked as expected. Note, I have "Block encrypted archives" option enabled, so the message is not delivered to the user's mailbox, exactly the way I want it to work.

However, if the account has the archiving feature enabled, the message is delivered to the user's archive mailbox. This probably wouldn't be much of a problem, except that we plan to present the user with a View Only share of the archive mailbox. I don't want the user to have access to any encrypted zip files, period. I've seen too many viruses being sent in this manner. How do I block delivery of encrypted archives to both mailboxes???

General architecture:

mx1 - MTA, A/V, A/S, Proxy
mx2 - LDAP
mx3 - user mailboxes
mx4 - archive mailboxes

[soba@ukw.edu.pl]

Check your configuration for clamd.conf . Clamd have a poor reputation in my opinion. For best virus detection you can use any external antyvirus solution. You can add a different virus scaner in amavisd.conf

[tvtsg]

Soba,

Thanks for the reply! Unfortunately, due to budget constraints, I need to make this work with the included spam and AV applications. This looks to be a probable configuration issue with amavisd or postfix? What logs should I be looking at? /opt/zimbra/logs/clamd.log shows the virus detection. Where do I look to determine why it decides to forward the message to the archive mailbox?

Let me explain the problem a different way. Clam DOES detect the virus (and/or encrypted zip file) and it DOES quarantine the message. The issue is, if the account is configured for archiving, a copy of the message is forwarded to the archive mailbox.

If a message is flagged as spam, it is not forwarded to the archive mailbox. If a message is good, it is forwarded to the archive mailbox. That is exactly how I would expect it to work. I do not want to waste disk space archiving spam.

The problem is, if a message is flagged as a virus, it should not be forwarded to the archive mailbox, but it is. How do I prevent it this?

I tried clearing the amavisArchiveQuarantineTo attribute for the account, but that breaks archiving completely.

Here is the Virus Alert sent to the recipient. Notice that it says the message is quarantined to both the archive account AND the virus quarantine account.

VIRUS ALERT

Our content checker found
virus:

in an email to you from probably faked sender:
?@[38.96.163.28]
claiming to be: <eicar@aleph-tec.com>

Content type: Virus
Our internal reference code for your message is 25596-01/J+lb3TfVSRsA

First upstream SMTP client IP address: [38.96.163.28]
spammy.outbound.your-site.com
According to a 'Received:' trace, the message apparently originated at:
[38.96.163.28],

Return-Path: <eicar@aleph-tec.com>
From: eicar@aleph-tec.com
Message-ID: <201109221427.p8MERRvJ008794@5081.web.vm.your-site.com>
X-Mailer: PHP/5.3.2-1ubuntu4.9
Subject: EICAR anti-virus test file:
The message has been quarantined as: bryan@tvtsghosting.com.archive, virus-quarantine.iqeofwjpv@tvtsghosting.com

Please contact your system administrator for details.

[soba@ukw.edu.pl]

Check your amavisd.conf

banned_rules = (

search lines like this:

'NO-ENCRYPT' => new_RE( qr'.\.(UNDECIPHERABLE)$'i, ),
'DEFAULT' => new_RE( [ qr'.*' => 0 ]),


or banned_filename

check also yor clamd config (/opt/zimbra/conf).

I don't remember this, but probably Zimbra has GUI feature to enable / disable blocking encrypted archives.