Antivirus ClamAV zimbra 8.8.x

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
mbaldazzi85
Posts: 7
Joined: Wed May 23, 2018 8:50 am

Antivirus ClamAV zimbra 8.8.x

Post by mbaldazzi85 »

Hello everyone,

the zimbra antivirus does not work well. lets pass many emails with malicious links inside.

The same version of ClamAv on postfix works well and blocks the email that zimbra passes.

does anyone have any ideas or solutions?

Thanks in advance.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Antivirus ClamAV zimbra 8.8.x

Post by L. Mark Stone »

mbaldazzi85 wrote:Hello everyone,

the zimbra antivirus does not work well. lets pass many emails with malicious links inside.

The same version of ClamAv on postfix works well and blocks the email that zimbra passes.

does anyone have any ideas or solutions?

Thanks in advance.
Perhaps my AntiSpam Best Practices Guide will help:

https://www.missioncriticalemail.com/20 ... ices-2019/

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
mbaldazzi85
Posts: 7
Joined: Wed May 23, 2018 8:50 am

Re: Antivirus ClamAV zimbra 8.8.x

Post by mbaldazzi85 »

thank you very much for the reply.
I tried some things without solving the problem of malicious links in the mail.
I believe the solution is a third-party software that costs about $ 3 per mailbox.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Antivirus ClamAV zimbra 8.8.x

Post by L. Mark Stone »

Yes, malicious links inside emails sent from otherwise well-configured email servers are a big problem.

Either or both of the uribl and invaluement lists in my blog post will help greatly.

Although it is not supported, many use the invaluement list for right hand side blocking outright as well. Doing so runs a risk of false positives.

Depending on your mail volume, your cost for each of those lists should be less than $3/mailbox/year.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
mbaldazzi85
Posts: 7
Joined: Wed May 23, 2018 8:50 am

Re: Antivirus ClamAV zimbra 8.8.x

Post by mbaldazzi85 »

thank you mark.
the strange thing is that on another postfix mail server without zimbra that uses the same version of clamAV blocks the same mail that zimbra lets pass.

I think it's a weakness of zimbra.
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: Antivirus ClamAV zimbra 8.8.x

Post by DualBoot »

Hello,

you can use some extra-packages which are missing with Zimbra ClamAV installation base.
You can check this when you restart ClamAV in the log.

Regards,
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Antivirus ClamAV zimbra 8.8.x

Post by JDunphy »

mbaldazzi85 wrote: the strange thing is that on another postfix mail server without zimbra that uses the same version of clamAV blocks the same mail that zimbra lets pass.

I think it's a weakness of zimbra.
We have not found Zimbra to be the problem but it does require that you customize your SA/Virus solution to maximize your results but to answer your question...
We use Zimbra's clamav including our own custom yara rules. It's pretty flexible and its even possible to have clamav contribute to SA scoring for difficult email where normal spam filtering would work fairly hard at for certain signatures. It's a pretty cool and underrated piece of software that doesn't get enough discussion IMO. Last year we were struggling with a difficult type of spam and our SA plugin was jumping threw hoops trying to identify it... a custom yara rule and we were back in business.

Perhaps run this on both box's. Look at the database section really carefully and don't take anything from my output as this is my development machine for yara rules which we don't update with freshclam.

Code: Select all

%  clamconf -n -c /opt/zimbra/conf
Checking configuration files in /opt/zimbra/conf

Config file: clamd.conf
-----------------------
LogFile = "/opt/zimbra/log/clamd.log"
LogFileMaxSize = "20971520"
LogTime = "yes"
LogSyslog = "yes"
LogFacility = "LOG_LOCAL0"
PidFile = "/opt/zimbra/log/clamd.pid"
DatabaseDirectory = "/opt/zimbra/data/clamav/db"
LocalSocket = "/opt/zimbra/data/clamav/clamav.sock"
TCPSocket = "3310"
TCPAddr = "localhost"
StreamMaxLength = "100000000"
MaxThreads = "4"
User = "zimbra"
ArchiveBlockEncrypted = "yes"
MaxScanSize = "100000000"
MaxFileSize = "100000000"

Config file: freshclam.conf
---------------------------
PidFile = "/opt/zimbra/log/freshclam.pid"
DatabaseDirectory = "/opt/zimbra/data/clamav/db"
UpdateLogFile = "/opt/zimbra/log/freshclam.log"
DatabaseMirror = "db.us.clamav.net", "database.clamav.net"
NotifyClamd = "/opt/zimbra/conf/clamd.conf"

clamav-milter.conf not found

Software settings
-----------------
Version: devel-8.8.0.beta1-37-gd4c1be5
WARNING: Version mismatch: libclamav=devel-8.8.0.beta1-37-gd4c1be5, clamconf=0.99.4
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE ICONV RAR JIT

Database information
--------------------
Database directory: /opt/zimbra/data/clamav/db
main.cld: version 58, sigs: 4566249, built on Wed Jun  7 14:38:10 2017
bytecode.cld: version 328, sigs: 94, built on Wed Jan  2 06:42:37 2019
bytecode.cvd: version 328, sigs: 94, built on Wed Jan  2 06:42:37 2019
daily.cld: version 25512, sigs: 1657948, built on Tue Jul 16 01:09:55 2019
[3rd Party] yara_dangerousattach.yar: 16 sigs
[3rd Party] yara_test_name.yar: 16 sigs
Total number of signatures: 6224417

Platform information
--------------------
uname: Linux 2.6.32-696.18.7.el6.x86_64 #1 SMP Thu Jan 4 17:31:22 UTC 2018 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.3 (1.2.3), compile flags: a9
Triple: x86_64-unknown-linux-gnu
CPU: i686, Little-endian
platform id: 0x0a2155550804040701040407

Build information
-----------------
GNU C: 4.4.7 20120313 (Red Hat 4.4.7-16) (4.4.7)
GNU C++: 4.4.7 20120313 (Red Hat 4.4.7-16) (4.4.7)
CPPFLAGS: -I/opt/zimbra/common/include
CFLAGS: -O2 -g -fno-strict-aliasing  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
CXXFLAGS: 
LDFLAGS: -L/opt/zimbra/common/lib -Wl,-rpath,/opt/zimbra/common/lib
Configure: '--prefix=/opt/zimbra/common' '--libdir=/opt/zimbra/common/lib' '--with-openssl=/opt/zimbra/common' '--with-xml=/opt/zimbra/common' '--with-user=zimbra' '--with-group=zimbra' '--with-included-ltdl' '--disable-clamav' '--enable-milter' 'CFLAGS=-O2 -g' 'LDFLAGS=-L/opt/zimbra/common/lib -Wl,-rpath,/opt/zimbra/common/lib' 'CPPFLAGS=-I/opt/zimbra/common/include' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience
sizeof(void*) = 8
Engine flevel: 85, dconf: 85
If that looks identical, the next step is to bring over your better rules and run it by hand on zimbra with a single email to see if things work as expected. It sounds like you might have some additional rules on your standalone postfix server if the configurations and versions are the same. Failing that, you can always point zimbra to your postfix clamd. Clamd is a server and you can telnet and test it. Here is an example under zimbra to show the concept.

Code: Select all

telnet 127.0.0.1 3310
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
nPING
PONG
Connection closed by foreign host.
Here is a dump of some places we look for rules and other references.

Code: Select all

# yara rules
https://github.com/Yara-Rules/rules
# yara documentation
https://yara.readthedocs.io/en/v3.8.1/
# yara debugging
https://github.com/VirusTotal/yara
Hint: use the --debug flag and -v when you run clamscan by hand to understand why your environments are different.

HTH,

Jim
mbaldazzi85
Posts: 7
Joined: Wed May 23, 2018 8:50 am

Re: Antivirus ClamAV zimbra 8.8.x

Post by mbaldazzi85 »

JDunphy wrote:
mbaldazzi85 wrote: the strange thing is that on another postfix mail server without zimbra that uses the same version of clamAV blocks the same mail that zimbra lets pass.

I think it's a weakness of zimbra.
We have not found Zimbra to be the problem but it does require that you customize your SA/Virus solution to maximize your results but to answer your question...
We use Zimbra's clamav including our own custom yara rules. It's pretty flexible and its even possible to have clamav contribute to SA scoring for difficult email where normal spam filtering would work fairly hard at for certain signatures. It's a pretty cool and underrated piece of software that doesn't get enough discussion IMO. Last year we were struggling with a difficult type of spam and our SA plugin was jumping threw hoops trying to identify it... a custom yara rule and we were back in business.

Perhaps run this on both box's. Look at the database section really carefully and don't take anything from my output as this is my development machine for yara rules which we don't update with freshclam.

Code: Select all

%  clamconf -n -c /opt/zimbra/conf
Checking configuration files in /opt/zimbra/conf

Config file: clamd.conf
-----------------------
LogFile = "/opt/zimbra/log/clamd.log"
LogFileMaxSize = "20971520"
LogTime = "yes"
LogSyslog = "yes"
LogFacility = "LOG_LOCAL0"
PidFile = "/opt/zimbra/log/clamd.pid"
DatabaseDirectory = "/opt/zimbra/data/clamav/db"
LocalSocket = "/opt/zimbra/data/clamav/clamav.sock"
TCPSocket = "3310"
TCPAddr = "localhost"
StreamMaxLength = "100000000"
MaxThreads = "4"
User = "zimbra"
ArchiveBlockEncrypted = "yes"
MaxScanSize = "100000000"
MaxFileSize = "100000000"

Config file: freshclam.conf
---------------------------
PidFile = "/opt/zimbra/log/freshclam.pid"
DatabaseDirectory = "/opt/zimbra/data/clamav/db"
UpdateLogFile = "/opt/zimbra/log/freshclam.log"
DatabaseMirror = "db.us.clamav.net", "database.clamav.net"
NotifyClamd = "/opt/zimbra/conf/clamd.conf"

clamav-milter.conf not found

Software settings
-----------------
Version: devel-8.8.0.beta1-37-gd4c1be5
WARNING: Version mismatch: libclamav=devel-8.8.0.beta1-37-gd4c1be5, clamconf=0.99.4
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE ICONV RAR JIT

Database information
--------------------
Database directory: /opt/zimbra/data/clamav/db
main.cld: version 58, sigs: 4566249, built on Wed Jun  7 14:38:10 2017
bytecode.cld: version 328, sigs: 94, built on Wed Jan  2 06:42:37 2019
bytecode.cvd: version 328, sigs: 94, built on Wed Jan  2 06:42:37 2019
daily.cld: version 25512, sigs: 1657948, built on Tue Jul 16 01:09:55 2019
[3rd Party] yara_dangerousattach.yar: 16 sigs
[3rd Party] yara_test_name.yar: 16 sigs
Total number of signatures: 6224417

Platform information
--------------------
uname: Linux 2.6.32-696.18.7.el6.x86_64 #1 SMP Thu Jan 4 17:31:22 UTC 2018 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.3 (1.2.3), compile flags: a9
Triple: x86_64-unknown-linux-gnu
CPU: i686, Little-endian
platform id: 0x0a2155550804040701040407

Build information
-----------------
GNU C: 4.4.7 20120313 (Red Hat 4.4.7-16) (4.4.7)
GNU C++: 4.4.7 20120313 (Red Hat 4.4.7-16) (4.4.7)
CPPFLAGS: -I/opt/zimbra/common/include
CFLAGS: -O2 -g -fno-strict-aliasing  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
CXXFLAGS: 
LDFLAGS: -L/opt/zimbra/common/lib -Wl,-rpath,/opt/zimbra/common/lib
Configure: '--prefix=/opt/zimbra/common' '--libdir=/opt/zimbra/common/lib' '--with-openssl=/opt/zimbra/common' '--with-xml=/opt/zimbra/common' '--with-user=zimbra' '--with-group=zimbra' '--with-included-ltdl' '--disable-clamav' '--enable-milter' 'CFLAGS=-O2 -g' 'LDFLAGS=-L/opt/zimbra/common/lib -Wl,-rpath,/opt/zimbra/common/lib' 'CPPFLAGS=-I/opt/zimbra/common/include' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' --enable-ltdl-convenience
sizeof(void*) = 8
Engine flevel: 85, dconf: 85
If that looks identical, the next step is to bring over your better rules and run it by hand on zimbra with a single email to see if things work as expected. It sounds like you might have some additional rules on your standalone postfix server if the configurations and versions are the same. Failing that, you can always point zimbra to your postfix clamd. Clamd is a server and you can telnet and test it. Here is an example under zimbra to show the concept.

Code: Select all

telnet 127.0.0.1 3310
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
nPING
PONG
Connection closed by foreign host.
Here is a dump of some places we look for rules and other references.

Code: Select all

# yara rules
https://github.com/Yara-Rules/rules
# yara documentation
https://yara.readthedocs.io/en/v3.8.1/
# yara debugging
https://github.com/VirusTotal/yara
Hint: use the --debug flag and -v when you run clamscan by hand to understand why your environments are different.

HTH,

Jim






Thank JDunphy
here my db status:
I added some db custom time ago.
look like that only bytecode.cld and daily.cld are updated others why not?


--------------------------------------------------------------------------------------------
Database information
--------------------
Database directory: /opt/zimbra/data/clamav/db
main.cvd: version 57, sigs: 4218790, built on Thu Mar 17 00:17:06 2016
daily.cld: version 25499, sigs: 1609077, built on Wed Jul 3 10:03:10 2019
daily.cvd: version 21684, sigs: 238797, built on Tue Jun 7 03:37:50 2016
[3rd Party] badmacro.ndb: 540 sigs
main.cld: version 58, sigs: 4566249, built on Wed Jun 7 23:38:10 2017
[3rd Party] rogue.hdb: 3778 sigs
bytecode.cld: version 328, sigs: 94, built on Wed Jan 2 15:42:37 2019
bytecode.cvd: version 278, sigs: 50, built on Mon Jun 6 19:41:14 2016
Total number of signatures: 10637375
--------------------------------------------------------------------------------------------
mbaldazzi85
Posts: 7
Joined: Wed May 23, 2018 8:50 am

Re: Antivirus ClamAV zimbra 8.8.x

Post by mbaldazzi85 »

after updating zimbra to version 8.8.15 p2 the result does not change.
Zimbra does not block infected attachments or bad links.
this is the scan result of a virus detected by another clamav which I use together with postfix on another server.


/opt/zimbra/common/bin/clamscan --database=/opt/zimbra/data/clamav/db /SAMPLE_arj

----------- SCAN SUMMARY -----------
Known viruses: 6361556
Engine version: 0.101.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 1.86 MB
Data read: 0.75 MB (ratio 2.48:1)
Time: 47.535 sec (0 m 47 s)
Post Reply