Results 1 to 4 of 4

Thread: AV Catching Only a Few Attachments

  1. #1
    tommyf is offline Junior Member
    Join Date
    Jul 2011
    Posts
    9
    Rep Power
    4

    Default AV Catching Only a Few Attachments

    Spent hours today looking for a solution and I'm pretty confused, so I hope this makes sense.

    I am running ZCS 7.x
    AV is set to not block encrypted attachments, PDFs generally come through fine.

    Problem: Few, maybe 2 per week, non-encrypted PDFs, get marked as having a Virus, always from known and trusted individuals. Is there a way to whitelist just these known individuals and get these through?
    — OR —
    I would even be happy to be able to "release" these manually to the recipients, but the various methods described in these forums, don't work for me. The quarantined files do not show up in the /opt/zimbra/data/amavisd/quarantine folder. I can't find where Zimbra is putting these quarantined files that it notifies me of. The quarantine folder does have files, all starting with "badh" or "banned", but none that start with "virus", which is what the notification email tells me the filename will be.

    Are locations different in ZCS 7? I've done full file searches for the virus filename and can't locate it. Are they stored in MySQL now?

    Any way to "release" these or whitelist known users so their attachments always come through?

    Thanks,

    TommyF

  2. #2
    gromit08 is offline Junior Member
    Join Date
    Sep 2012
    Posts
    6
    Rep Power
    2

    Default

    Sorry that this message isn't going to provide any help. I have the same/similar issue.

    Release methods might work, but the problem is finding the message.

    All messages in the /opt/zimbra/data/amavisd/quarantine folder start with badh- and then 12 alphanumeric characters. But, nothing in the message received is the same as any file in the quarantine. The message is in the inbox of the virus-quarantine user in Zimbra, but forwarding it fails (still gets virus scanned), and nothing in the header (even the X-Quarantine-ID matches anything in the names of the files in the quarantine folder.

    The virus messages says something like:

    VIRUS ALERT

    Our content checker found
    virus: Heuristics.Encrypted.PDF

    in an email to you from probably faked sender:
    ?@[IP Address]
    claiming to be: <user@domain.tld>

    Content type: Virus
    Our internal reference code for your message is 5digits-2digits/12AlphaNumeric

    First upstream SMTP client IP address: [IPAddress] server.domain.tld
    According to a 'Received:' trace, the message apparently originated at:
    [IPAddress], server.domain.tld server.domain.tld [IPAddress]

    Return-Path: <user@domain.tld>
    From: user@domain.tld
    Message-ID: blah.blah.blah
    X-Mailer: Zimbra 7.2.0_GA_2681 (ZimbraWebClient - FF3.0 (Win)/7.2.0_GA_2681)
    Subject: stuff
    The message has been quarantined as: user@domain.tld

  3. #3
    afrojoe is offline Intermediate Member
    Join Date
    Mar 2012
    Posts
    19
    Rep Power
    3

    Default

    Im in the same boat.. its really frustrating that there's nothing in the catch message to give you a hint as to which message it is.. lame.

  4. #4
    ccelis5215 is offline Elite Member
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    470
    Rep Power
    4

    Default

    Hello, check $final_virus_destiny in amavis.conf.in by default have a DISCARD defaut value.

    The message it's actually in the virus-quarantine@domain.com account.

    ccelis
    Last edited by ccelis5215; 11-13-2012 at 08:02 PM. Reason: quarantine account

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Auto catching from @domain and bcc to user
    By nyu in forum Administrators
    Replies: 1
    Last Post: 07-20-2011, 06:51 PM
  2. Banned file type catching PPTX as wmf
    By bowergo in forum Administrators
    Replies: 8
    Last Post: 06-17-2010, 12:48 PM
  3. Zimbra Desktop Spell Checker not catching most errors
    By christinesf in forum General Questions
    Replies: 14
    Last Post: 10-21-2009, 10:42 AM
  4. Zimbra Desktop Spell Checker not catching most errors
    By christinesf in forum Error Reports
    Replies: 0
    Last Post: 05-30-2009, 06:47 PM
  5. Replies: 4
    Last Post: 12-30-2008, 05:42 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •