Updates - CentOS 6.4 - Interworx 5.0.12

Hi,
i ran into several Problems with Updates.

1. I did a version-check of clamav and found this Information.

ClamAV 0.97.8/18167/Wed Nov 27 12:48:31 2013

Package 3:clamav-0.97.8-102.rhe6x.iworx.x86_64 already installed and latest version

This Version is marked as outdated:

WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.97.8 Recommended version: 0.98

Do I have to wait for the next iworx-release or can it be replaced with the official Package(s)?

2. Same, with Spamassassin I guess? These next Messages should be shown when DNS:Net is newer as the Spamassassin-Installation, right?!

Nov 27 16:06:31 masterserver spamd[865]: Odd number of elements in hash assignment at /usr/lib64/perl5/Net/DNS/RR.pm line 452.
Nov 27 16:06:31 masterserver spamd[865]: RR name not specified at /usr/lib64/perl5/Net/DNS/Packet.pm line 234
Nov 27 16:06:31 masterserver spamd[865]: caught at /usr/share/perl5/Mail/SpamAssassin/DnsResolver.pm line 45

Spamassassin-Installation is a iworx-release, too. Version:

SpamAssassin version 3.3.1

The newest Version is Spamassassin 3.3.2

Any suggestions?

Thank you

Hi venom

I glad posting is working.

I consider both of these as non critical, and are better waiting for official updates from interworx releases.

I know certainly on clam av, the current version is still officially updates with sigs etc, and this outdated notice is also shown in mail logs, freshclam.

I know it’s possible to bring the clam av to latest version, and there are a few little cheats to save time compiling, but again I would wait (as I am) for the official release from IW. The cheats we tend to use primary on windows servers which work well but we rarely use the very latest versions.

I know they maybe a difference of opinion by users on this forum, but that’s my thought.

I hope that helps

Many thanks

John

Seems like this means that the clamav definition database is outdated. you need to update it. Usually this is done automatically, on a daily basis.
You can run ‘freshclam’ manually via CLI to make a one time update, or run ‘freshclam -d’ to have it run as a daemon.
You can also add ‘freshclam --quiet’ to a cronjob.
Please check the following page on the clamav site for more information: http://www.clamav.net/doc/latest/html/node24.html

Hi Evanion

I hope you don’t mind, and I’ve reread my reply, which I don’t think I answered very well, in terms of I perhaps I missed out information which I had understanding on, so I appologise sorry.

I am reposting here with a pic, to show exactly what I was trying to say, which hopefully may save users time researching, unless they want to.

As I said, I personally would wait for official IW release, but if any user has good understanding, could update the version, but do so at their own risk. I purposefully have not divulged the build cheat, which at some point may not work, but so far has for our windows systems.

Once agin, I’m sorry if my post was not easily understood.

Many thanks

John

clamav.jpg937×675 97.9 KB

I saw these too on my private iworx server. I’ll see what’s up.

Hi Mr T

The posted issue is it’s just the version warning, which I think is been confused slightly in terms of if it’s not receiving current av definition updates.

I know Evanion realises it a version warning and not a av definition update warning.

Also, I believe there will be a newer version then 0.98 due out soon from memory as 0.98 has been out quiet a long time, so if your thinking of releasing a new version update (please not this is not a AV database definition update) then I prefer if you wait for the next version.

For anyone interested, 0.98 can handle more file types etc and has a few fixes, but 0.97.8 and 0.98 both are supported and current with definitions.

I hope this helps a little

Many thanks

John

Hi,
Thanks for your answers. I think the best way is to wait for the next iworx update.
I’m not skilled using iworx and CentOS, so i wont build my own config.

I figured out that clamav is not working as expected. Means, clamav dont scan any incoming mail etc. (Doesnt mean --> clamav is not working at all. Only the test-virus eicar was detected. All other test-virus were found nor scaned)

In the past i only used amavis, or qmail-toaster. The whole config looks realy strange to me.

Sry for misspelling. This text is written on a cellphone without english language support.It even corrects grammar and spelling…

EDIT: The Eicar-Signature was found and deleted. All other Test-Virus (Byteplant) were ignored.

Hi Venom

I hope you don’t mind, but I’ve read your post and run a test on our systems, please see picture for result, which as you see, shows clamav correctly working on email.

There are a couple of settings which could potentially show as clamav not scanning correctly, although clamav is correctly processing as per config rules, but as you have not exactly listed the reason for stating clamav not scanning email, I have not included them here.

Please could you check the following on your server, to make sure you have clamav running, (should be green bars) and also you have enabled clamav email scanning (outlined in black boxes).

If it helps, the easy way to understand clamav, is it is a seperate program, which is called by qmail when needed (usually when email have appeared in que), and should only tag the email as infected, it is qmail (or another program) which then takes action to remove/delete etc the emails, not clamav.

I hope that helps and I appologise in advance if I am wrong, sorry.

Many thanks

John

enable clamav scan.jpg1022×737 92.5 KB

clamav mail test.jpg950×685 98.1 KB

Hi,
thanks for Reply. I?ve edited my posting above (Eicar-Signature was found)

The Option “SMTP-Scanning” scans “outgoing Mails” only! Right? I need to scan “incoming Mails”.

Yes indeed, ClamAV is running, the Signatures are up 2 date. Thats the reason why I’m a bit confused …

I checked /var/qmail/control/simcontrol (The original Iworx-File) against my own Config.

simcontrol - default Interworx-Installation

:clam=yes,spam=yes,trophie=no,spam_hits=15,

My own Config:

cat simcontrol
.:clam=yes,spam=yes,spam_passthru=yes,attach=.ade:.adp:.app:.asd:.asf:.asp:.asx:.avi:.bas:.bat:.bin:.chm:.cil:.cla:.class: .cmd:.com:.cpl:.crt:.csh:.css:.dll:.dot:.email:.eml:.exe:.fxp:.hlp:.hta:.htm: .html:.inf:.ins:.isp:.js:.jse:.ksh:.lnk:.mda:.mdb:.mde:.mdt:.mdw:.mdz:.mov:.mp3: .mpe:.mpeg:.mpg:.msc:.msi:.msp:.mst:.nws:.ocx:.ops:.pcd:.pif:.pl:.pm:.pot:.pps: .prf:.prg:.ps:.rar:.reg:.scf:.scr:.sct:.shb:.shm:.shs:.url:.vb:.vbe:.vbs:.vxd: .wav:.wmd:.wmf:.wms:.wmz:.wsc:.wsf:.wsh:.wsz:.xsl:.xlt:.xlw:

The Attach-Settings are ignored completely. I?m sure they are correct and simscan should work.

Maybe you’d like to test it on your own System? --> http://www.emailsecuritycheck.net/

Hi venom

Many thanks, and sorry, yes it makes more sense about your issue.

I have run the test and seen some emails arrive, which you would expect but to be received.

I think though, but it’s been a long night for me tonight sorry, that your getting confused over clamav and attachment blocker.

I’m not too sure if interworx has an attachment blocker or not, but I’ll look into it tommorow and I’m pretty sure this is not a clamav issue, as clamav stopped eicar in bat format, whilst the attachments that were allowed through, did not as far I see, contain eicar virus code, therefore were not stopped. I could be wrong though, sorry

I hope this helps clarify the issue better.

I hope that’s alright and I’ll post back once I’ve looked into more.

Many thanks

John

Hi Venom

I hope you don’t mond, but I have quickly looked into this and could be entirley wrong, sorry, but I believe you need to follow as below, but please note, your ripmime path is /usr/bin

Attachment Processing

To enable attachment processing in simscan use the following configure option
–enable-attach

You also need to install ripmime to extract the mime parts of the e-mail. If you installed ripmime in a place other than /usr/local/bin/ripmime, specify it’s PATH in the following configure option:
–enable-ripmime=PATH

Place your list of attachments to be blocked in the /var/qmail/control/ssattach file. The list should look something like this:
.scr
.pif
.bat

Each time an email comes in and simscan is started by qmail-smtpd, this file is read into an array. After simscan calls ripmime to break the email MIME parts into separate files in the tmp directory /var/qmail/simscan, and then simscan will check the list of attachments against the list of file names in the email. If the attachments are set to be blocked, Simscan will remove the temporary files and tell qmail-smtpd to reject the message.

In order to make file names and attachment names case insensitive, simscan forces everything to lower case. Then it does a reverse string comparison for each file name against each attachment name. If there is a match then the email is rejected and control passes back up to qmail-smtpd for the final email rejection.

Simscan will then report to the smtp log a message similar to:
simscan: IP-of-sender pid pid-of-simscan: invalid attachment: FileName from: FromAddress to: ToAddress

If custom rejection messages are enabled then qmail-smtpd will report a failure message similar to:
Your email was rejected because it contains a bad attachment: FileName

The main advantages of using attachment blocking are:

You can block files regardless of whether they are virus infected or not. This becomes handy when new undetectable viruses appear on the Net and start spreading through, for example, .bat .scr and .pif files. Block these extensions permanently, users never need these files. If you are not using attachment blocking, these viruses will sneak in untill your antivirus software updated its virus database.

attachment blocking is very lightweight. You don’t have to spawn clamdscan, it doesn’t have to scan stuff; It’s just simply rejected. If you have a large volume of email going through your server this can make the difference between being fine with your current hardware, or needing to buy another server.

Its an opportunity to reduce bandwidth and employees “play time” if you block the funny .mp3, .avi, .mpeg, etc, files.

If you are not interested in attachment blocking, just don’t use ‘–enable-attach’ configure option. Attachment blocking is disabled by default. You should then enable one antivirus scanner to scan your messages for viruses.

If you want to read more, please see this link http://www.qmailwiki.org/Simscan/Guide#attachment_blocking

I hope it helps

Many thanks

John

Hi venom

I hope you don’t mind but I’ve tested the above and I don’t think simscan has been compiled with attachment blocking enabled.

To fully test I need to recompile using our test system which I’ll try to do this week but I may not know the exact paths used originally.

If you try to recompile yourself, please could you post your result if possible.

Many thanks

John

Paul was doing some fixes to Clam AV recently.

Here’s the ticket he opened:

Old location: /var/lib/clamav/
New location: /var/clamav/

Reason: compatibility with ASL clamav updates

We need to update iworx code to look in the right place.

There’s a few others in there too:

On every update we need to make sure that

1. DatabaseDirectory in /etc/freshclam.conf and /etc/clamd.conf is set to /var/lib/clamav
2. that we run freshclam manually in %post.

this is needed because ASL likes to swap this around if their clamav rpms get installed and it causes problems when ours updates.

(Not sure if this helps, but I think they’re looking in to this at least on ASL.
Could be a similar issue in Cent)

Hi Mr T

Sorry, as far as I know, centos just uses static directories as set in freshclam and clam etc, which is same on windows os as well. It does not matter which directories are used so long as they have correct permissions on them.

I hope that helps a little and sorry if I’m wrong

Also, interestingly, I’m thinking more the issue venom is reporting is more attachment blocker the clamav, as the test I did, on my computer, the antivirus did not detect any issue with email, we use avast on the computer I use, so if 2 av don’t detect issues, I don’t think it’s av issue.

Many thanks

John

Thank you all for your response John you are at my Side!

The Directories are no problem, the only problem is that simscan (as John already posted) is not compiled for Attachment-Scanning. I know your posted Tutorial but I wont try this cause (as known) simscan needs to be recompiled.

[QUOTE=d2d4j;24959]
Also, interestingly, I’m thinking more the issue venom is reporting is more attachment blocker the clamav, as the test I did, on my computer, the antivirus did not detect any issue with email, we use avast on the computer I use, so if 2 av don’t detect issues, I don’t think it’s av issue.

John[/QUOTE]

Yes right, detected Viruses should be blocked by ClamAV / Simscan. My local AV (F-Secure) detects all incomming Test-Virus if they be executed but that doesn?t matter. I need them blocked before they be delievered. (Like Amavis-New)

Hi venom

Many thanks, I personally don’t think it should it be a big issue recompiling, apart from it needs testing in a test server, which I have not had time as yet.

I also think it might be classed as a feature upgrade, and it would be nice to see an input screen to turn on/off and input file types to be blocked.

I know this can be server wide or user specific, which I prefer server wide to be honest. Our enterprise mailers are domain specific for attachment blocking but also server wide, so we have the best of both worlds, but you have to remember these are dedicated mail clusters we use, not all in ones as it were, but from what I’ve read, simscan can only domain or server wide and not both, but then again, there’s no additional costs.

Many thanks

John

Hi Venom

I have been looking into this, and quickly tested on a test server we brought online, but I am getting a little stuck, I’m not to sure if it’s because I downloaded a different simscan package, but it appears to compile correctly, witht he options I input, but on testing, it does not stop the attachment. I shall keep trying though.

Also, I have I believe found the original reason why attachment blocking was not enabled, and it is a rather old post, but may still be valid today perhaps, but at least it’s good to know Interworx are keeping it stable. http://forums.interworx.com/threads/973-Simscan-ssattach

Many thanks

John

Hi John,
I would try but i don?t have a test-server yet. So i should not try it on a running system with Customers on it :rolleyes: I already read the Thread you linked to, the Thread is posted in 2005. I don?t think it helps to fix my little “issue”.

Many Thanks to you!!!

Do you think that reinstalling simscan using “yum reinstall simscan***” ask for new configuration-options?

Hi venom

I’m sorry I think yum was the first I tried, including upgrade command. I think anyway sorry, I don’t seem to remember, sorry.

I think interworx produced an rpm and the package I used was tar gz, directly from simscan, intel7 or similar.

I would never advise testing on a live system, to be honest, I refrain from giving too much just for that reason, incase someone decided to try it.

I will try again this week hopefully, but I only have limited time, but I’ll do a little more reading first.

I hope that’s alright, and if anyone has any suggestions, please feel free to post.

Many thanks

John