ClamWin not working proper

[Farcaster]

I just tried to activate the ClamWin Antivirus on Mailenable Enterprise Edition.
The Message Filter is setup properly and when i click the Test-Button the test recognizes the Eicar Virus and returns 1.

But when i send myself the Testfile with the Eicar-Virus, my local Avast cries but the email runs through the MTA without any detection - for sure i disabled the "Bypass authenticated Senders". I have also several scans in the real time monitor without any detection and Emails with virus attachments just runs through.

Any ideas?

Thx.

[MailEnable-Ian]

Hi,

If you a have resident AV scanner (Avast) enabled on the server and scanning the MailEnable queues it will detect the eicar and remove the attachment or disinfect the message before the MTA filtering is able to. Therefore disable the resident AV filtering or exclude the MailEnable "Queues" folder from the resident AV scanner.

[Farcaster]

Hi Ian,

you misunderstood. On the Server there runs only the ClamWin which detects no virus.No other Virus-Service is running there.
Avast just runs on my PC at home.

[MailEnable-Ian]

Hi,

Try your tests locally on the server. I.e: Download the eicar test file on the server. Then use the MailEnable client web mail locally on the server (i.e: http://mewebmail.localhost or http://localhost/mewebmail) and attach the file to a message and send to self locally to see if the filter triggers.

[Farcaster]

Its not triggering.

In the Spam-Statistics i have > 1000 Antivirus Scans without any detection in the last several hours - additionally the ClamWin Servie is consuming lot of CPU Power, but not even 1 Virus is detected. It makes also no difference if i activate the ClamV-Message Filter or not.

[MailEnable-Ian]

Hi,

Did you install ClamAV via the MailEnable installer? Or was it installed separately? Perhaps private message me a Teamviewer session or RDP login details and ill take a quick look at the configuration.

[Farcaster]

I installed it separately.
I PN you

[MailEnable-Ian]

Hi,

Ok if installed separably then you need to remove it and then run the MailEnable installer again and perform an upgrade. In the components to be installed window during the upgrade select to install ClamAV. If that does not work I will login and check further.

[Farcaster]

Hello Ian,

it seems to be working now, but i encountered some more problems...

First of all - the message is marked as a virus, but now i have an additional global message filter which copies this message to the "Quarantine" - but its still delivered to the Recipient unless i also add the action "Delete Message" - is there no "Move message to the Quarantine"?

Second: my CPU is running on 100% mostly the whole time - the Clamservice took the whole ressources... i decreased the MTA Threads alredy to 2 - still 100% - because of this - i think - i get sometimes the following message in the MTA-Log

08/26/16 11:02:25 Error scanning attachment - Command Line Scanner Process ("D:\Mail Enable\Antivirus\ClamAV\clamscan.exe" "D:\Mail Enable\Scratch\3232BDF974ED4F95B3E6BF55AFEF6110.MAI\0.ATT" --no-summary --database="D:\Mail Enable\Antivirus\ClamAV\db\main.cvd" --tempdir="D:\Mail Enable\Scratch") took too long and was terminated

Any ideas?

[MailEnable-Ian]

Hi,

First of all - the message is marked as a virus, but now i have an additional global message filter which copies this message to the "Quarantine" - but its still delivered to the Recipient unless i also add the action "Delete Message" - is there no "Move message to the Quarantine"?

>> No you need to add the action or "Delete Message" after the action to move to quarantine.

Second: my CPU is running on 100% mostly the whole time - the Clamservice took the whole ressources... i decreased the MTA Threads alredy to 2 - still 100% - because of this - i think - i get sometimes the following message in the MTA-Log

08/26/16 11:02:25 Error scanning attachment - Command Line Scanner Process ("D:\Mail Enable\Antivirus\ClamAV\clamscan.exe" "D:\Mail Enable\Scratch\3232BDF974ED4F95B3E6BF55AFEF6110.MAI\0.ATT" --no-summary --database="D:\Mail Enable\Antivirus\ClamAV\db\main.cvd" --tempdir="D:\Mail Enable\Scratch") took too long and was terminated

>> ClamAV will only run at 1 MTA thread therefore lower this to one and try your tests again. Also are you running the latest version of MailEnable 9.17?

[Brett Rowbotham]

I use the ClamAV native Windows port downloaded from http://oss.netfarm.it/clamav/ rather than the version supplied by ME.

With that version I have ClamAV scanner set up as a service and do the antivirus scans with clamdscan, as this allows me to run the MTA at 16 threads without a problem.

Cheers,
Brett

[Farcaster]

Hi Ian,

yes, i am running latest 9.17
I now decreased the MTA to 1 thread... 8 hours later i got this

2016-08-31_11h07_33.png (2.52 KiB) Viewed 14859 times

but a lot of viruses came through.

[MailEnable-Ian]

Hi,

Log a support ticket under "Upgrade" and provide server access and we will take a look in more detail.