Question How to remove viruses with Clamav via Spamassassin

[hitd]

I don't know, this seems to reject anything at the moment and I don't even think rejecting is the best method, it should be silently discarded or quarantined. I think I maybe try to use another approach with amavisd.

take a simple mail from mailDir and pipe trough the mailhandler.

Increase debug from level 1, wich is default to maybe 4.

If you want silently discard simply change following:


print STDERR "LOG HITDVIRUS drweb result: REJECT VIRUS $virus_name\n";
print STDERR "REJECT VIRUS $virus_name\n";
print STDOUT "virus signature found drweb: $virus_name\n";

cat eicar-signature.txt| drwebdc -orv - [16:27:00]
dwlib: fd: connect() failed - Connection refused
dwlib: tcp: connecting to 127.0.0.1:3000 - failed
dwlib: cannot create connection with a DrWeb daemon
dwlib: fd: connect() failed - Connection refused
dwlib: tcp: connecting to 127.0.0.1:3000 - failed
dwlib: cannot create connection with a DrWeb daemon
ERROR: cannot retrieve daemon version
Error -12, cannot connect to daemon address

Its Dr. Web, not my script

root@puck983:~# netstat -lntp | grep :300
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN 1593/drwebd.real
tcp 0 0 127.0.0.1:3001 0.0.0.0:* LISTEN 5231/grafana-server
root@puck983:~#

could be grafana occupies the port.
see Important - Plesk Obsidian Releases

 

[andreios]

Key file: /opt/drweb/drweb32.key - Key file was not found! (No such file or directory)
Oh I thought this was part of the package. So I have to buy it? Strange

 

[hitd]

Key file: /opt/drweb/drweb32.key - Key file was not found! (No such file or directory)
Oh I thought this was part of the package.

Thats OK, no panic

If you buy a full license of plesk antivir you get drweb32.key

This is startup here:

Mär 07 07:36:32 puck983 drwebd[1593]: Dr.Web (R) daemon for Linux/Plesk Edition v6.0.2.1
Mär 07 07:36:32 puck983 drwebd[1593]: Copyright (c) Igor Daniloff, 1992-2022
Mär 07 07:36:32 puck983 drwebd[1593]: Doctor Web, Moscow, Russia
Mär 07 07:36:32 puck983 drwebd[1593]: Support service: Dr.Web — innovative anti-virus technologies. Comprehensive protection from Internet threats.
Mär 07 07:36:32 puck983 drwebd[1593]: To purchase: Dr.Web — innovative anti-virus technologies. Comprehensive protection from Internet threats.
Mär 07 07:36:32 puck983 drwebd.real[1593]: Dr.Web (R) daemon for Linux/Plesk Edition v6.0.2.1
Mär 07 07:36:32 puck983 drwebd.real[1593]: Copyright (c) Igor Daniloff, 1992-2022
Mär 07 07:36:32 puck983 drwebd.real[1593]: Doctor Web, Moscow, Russia
Mär 07 07:36:32 puck983 drwebd.real[1593]: Support service: Dr.Web — innovative anti-virus technologies. Comprehensive protection from Internet threats.
Mär 07 07:36:32 puck983 drwebd.real[1593]: To purchase: Dr.Web — innovative anti-virus technologies. Comprehensive protection from Internet threats.
Mär 07 07:36:33 puck983 drwebd[1593]: Key file: /opt/drweb/drweb32.key - Key file was not found! (No such file or directory)
Mär 07 07:36:33 puck983 drwebd[1593]: A path to a valid license key file was not specified.
Mär 07 07:36:33 puck983 drwebd.real[1593]: Key file: /opt/drweb/drweb32.key - Key file was not found! (No such file or directory)
Mär 07 07:36:33 puck983 drwebd.real[1593]: A path to a valid license key file was not specified.
Mär 07 07:36:43 puck983 drwebd.real[1593]: Daemon is enabled for protecting 14 e-mail`s:
Mär 07 07:36:43 puck983 drwebd[1593]: Daemon is enabled for protecting 14 e-mail`s:
[..]
Mär 07 07:36:43 puck983 drwebd.real[1593]: Shell version: 6.0.2.02020 <API:2.2>
Mär 07 07:36:43 puck983 drwebd.real[1593]: Engine version: 7.0.4.9250 <API:2.2>
Mär 07 07:37:31 puck983 drwebd[1593]: Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 2482
Mär 07 07:37:31 puck983 drwebd.real[1593]: Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 2482
Mär 07 07:37:31 puck983 drwebd[1593]: Loading /var/drweb/bases/dwf70000.vdb - Ok, virus records: 2
[..]
Mär 07 07:38:41 puck983 drwebd.real[1593]: Loading /var/drweb/bases/dwp70000.vdb - Ok, virus records: 1
Mär 07 07:38:42 puck983 drwebd[1593]: Total virus records: 12750876
Mär 07 07:38:42 puck983 drwebd.real[1593]: Total virus records: 12750876
Mär 07 07:38:42 puck983 drwebd[1593]: Daemon is installed, active interfaces: /var/drweb/run/.daemon 127.0.0.1:3000
Mär 07 07:38:42 puck983 drwebd.real[1593]: Daemon is installed, active interfaces: /var/drweb/run/.daemon 127.0.0.1:3000

DrWeb opens port 3000 on 127.0.0.1 loopback

Missing drweb32.key reduce scanning to max 14 mailboxes.

However i cheat drweb, because i pipe the mail trough drwebdc - which is a filescan, not a mailbox one

 

[hitd]

And on the other way: you started with clamav

if clamav daemon runs fine,

change

# PATH must be fixed because perl -T flag, using an usual path throws security exception
my $drweb_bin='/usr/bin/drwebdc'; # if empty: do not use DrWeb version 6 ( part of plesk as plesk antivirus )
my $drweb_path='/usr/bin';
my $drweb_arg='-';
my $drweb_give_name_arg='-orv';
my $drweb_version_arg='-sB';

to
# PATH must be fixed because perl -T flag, using an usual path throws security exception
my $drweb_bin=''; # if empty: do not use DrWeb version 6 ( part of plesk as plesk antivirus )
my $drweb_path='/usr/bin';
my $drweb_arg='-';
my $drweb_give_name_arg='-orv';
my $drweb_version_arg='-sB';

if $drweb_bin is empty, drweb is ignored only tests by clamav's clamd are made

 

[andreios]

--
-- An ExecStart= process belonging to unit drwebd.service has exited.
--
-- The process' exit code is 'exited' and its exit status is 255.
Mar 16 17:04:51 server drwebd[2003346]: Dr.Web (R) daemon for Linux/Plesk Edition v6.0.2.1
Mar 16 17:04:51 server drwebd[2003346]: Copyright (c) Igor Daniloff, 1992-2022
Mar 16 17:04:51 server drwebd[2003346]: Doctor Web, Moscow, Russia
Mar 16 17:04:51 server drwebd[2003346]: Support service: Dr.Web — innovative anti-virus technologies. Comprehensive protection from Internet threats.
Mar 16 17:04:51 server drwebd[2003346]: To purchase: Dr.Web — innovative anti-virus technologies. Comprehensive protection from Internet threats.
Mar 16 17:04:51 server drwebd.real[2003346]: Copyright (c) Igor Daniloff, 1992-2022
Mar 16 17:04:51 server systemd[1]: drwebd.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: Enterprise open source support | Ubuntu
--
-- The unit drwebd.service has entered the 'failed' state with result 'exit-code'.
Mar 16 17:04:51 server drwebd[2003346]: Key file: /opt/drweb/drweb32.key - Key file was not found! (No such file or directory)
Mar 16 17:04:51 server drwebd[2003346]: A path to a valid license key file was not specified.
Mar 16 17:04:51 server drwebd[2003346]: Plesk authorization failed: HTTP request error [35]
Mar 16 17:04:51 server drwebd[2003346]: Error: Plesk Software not running.
Mar 16 17:04:51 server drwebd.real[2003346]: Doctor Web, Moscow, Russia
Mar 16 17:04:51 server drwebd.real[2003346]: Support service: Dr.Web — innovative anti-virus technologies. Comprehensive protection from Internet threats.
Mar 16 17:04:51 server drwebd.real[2003346]: To purchase: Dr.Web — innovative anti-virus technologies. Comprehensive protection from Internet threats.
Mar 16 17:04:51 server drwebd.real[2003346]: Key file: /opt/drweb/drweb32.key - Key file was not found! (No such file or directory)
Mar 16 17:04:51 server drwebd.real[2003346]: A path to a valid license key file was not specified.
Mar 16 17:04:51 server drwebd.real[2003346]: Plesk authorization failed: HTTP request error [35]
Mar 16 17:04:51 server drwebd.real[2003346]: Error: Plesk Software not running.

 

[hitd]

--
-- An ExecStart= process belonging to unit drwebd.service has exited.
--
-- The process' exit code is 'exited' and its exit status is 255.
Mar 16 17:04:51 server drwebd[2003346]: Dr.Web (R) daemon for Linux/Plesk Edition v6.0.2.1
Mar 16 17:04:51 server drwebd[2003346]: Copyright (c) Igor Daniloff, 1992-2022
Mar 16 17:04:51 server drwebd[2003346]: Doctor Web, Moscow, Russia
Mar 16 17:04:51 server drwebd[2003346]: Support service: Dr.Web — innovative anti-virus technologies. Comprehensive protection from Internet threats.
Mar 16 17:04:51 server drwebd[2003346]: To purchase: Dr.Web — innovative anti-virus technologies. Comprehensive protection from Internet threats.
Mar 16 17:04:51 server drwebd.real[2003346]: Copyright (c) Igor Daniloff, 1992-2022
Mar 16 17:04:51 server systemd[1]: drwebd.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: Enterprise open source support | Ubuntu
--
-- The unit drwebd.service has entered the 'failed' state with result 'exit-code'.
Mar 16 17:04:51 server drwebd[2003346]: Key file: /opt/drweb/drweb32.key - Key file was not found! (No such file or directory)
Mar 16 17:04:51 server drwebd[2003346]: A path to a valid license key file was not specified.
Mar 16 17:04:51 server drwebd[2003346]: Plesk authorization failed: HTTP request error [35]
Mar 16 17:04:51 server drwebd[2003346]: Error: Plesk Software not running.
Mar 16 17:04:51 server drwebd.real[2003346]: Doctor Web, Moscow, Russia
Mar 16 17:04:51 server drwebd.real[2003346]: Support service: Dr.Web — innovative anti-virus technologies. Comprehensive protection from Internet threats.
Mar 16 17:04:51 server drwebd.real[2003346]: To purchase: Dr.Web — innovative anti-virus technologies. Comprehensive protection from Internet threats.
Mar 16 17:04:51 server drwebd.real[2003346]: Key file: /opt/drweb/drweb32.key - Key file was not found! (No such file or directory)
Mar 16 17:04:51 server drwebd.real[2003346]: A path to a valid license key file was not specified.
Mar 16 17:04:51 server drwebd.real[2003346]: Plesk authorization failed: HTTP request error [35]
Mar 16 17:04:51 server drwebd.real[2003346]: Error: Plesk Software not running.

root@puck983:/usr/local/sbin# systemctl status drwebd
● drwebd.service - Plesk Premium Antivirus
Loaded: loaded (/lib/systemd/system/drwebd.service; enabled; vendor preset: enabled)
Drop-In: /usr/lib/systemd/system/drwebd.service.d
└─respawn.conf
Active: active (running) since Mon 2022-03-07 07:36:28 CET; 1 weeks 2 days ago
Main PID: 1593 (drwebd.real)
Tasks: 2 (limit: 4915)
Memory: 842.6M
CGroup: /system.slice/drwebd.service
├─ 1593 /opt/drweb/drwebd.real --foreground=yes
└─10036 /opt/drweb/drwebd.real --foreground=yes

Mär 16 16:59:40 puck983 drwebd.real[9923]: <drwebdc>: 127.0.0.1 [9923] >DATA[9923]/11.reexport - Ok
Mär 16 16:59:40 puck983 drwebd.real[9923]: <drwebdc>: 127.0.0.1 [9923] DATA[9923] - Ok
Mär 16 17:05:22 puck983 drwebd.real[9953]: <drwebdc>: 127.0.0.1 [9953] DATA[9953] - archive MAIL
Mär 16 17:05:22 puck983 drwebd.real[9953]: <drwebdc>: 127.0.0.1 [9953] >DATA[9953]/3.part - Ok
Mär 16 17:05:22 puck983 drwebd.real[9953]: <drwebdc>: 127.0.0.1 [9953] >DATA[9953]/4.part - archive JS-HTML
Mär 16 17:05:22 puck983 drwebd.real[9953]: <drwebdc>: 127.0.0.1 [9953] >DATA[9953]/4.part - Ok
Mär 16 17:05:22 puck983 drwebd.real[9953]: <drwebdc>: 127.0.0.1 [9953] >DATA[9953]/5.reexport - Ok
Mär 16 17:05:22 puck983 drwebd.real[9953]: <drwebdc>: 127.0.0.1 [9953] >DATA[9953]/6.reexport - archive JS-HTML
Mär 16 17:05:22 puck983 drwebd.real[9953]: <drwebdc>: 127.0.0.1 [9953] >DATA[9953]/6.reexport - Ok
Mär 16 17:05:22 puck983 drwebd.real[9953]: <drwebdc>: 127.0.0.1 [9953] DATA[9953] - Ok
root@puck983:/usr/local/sbin#


file /usr/lib/systemd/system/drwebd.service :
[Unit]
Description=Plesk Premium Antivirus
After= psa.service

[Service]
ExecStart=/opt/drweb/drwebd --foreground=yes
ExecReload=/bin/kill -s SIGHUP $MAINPID

[Install]
WantedBy=multi-user.target

 

[andreios]

To my surprise drweb was disabled. I have enabled it with:
plesk sbin drwebmng -e

 

[hitd]

please do some tests and give a short report.

However, if your question from beginning ( how to remove a appended file ) isn't obsolate, take a look at renattach. It is available for ubuntu as renattach 1.2.4-5 (amd64 binary) in ubuntu bionic. renattach is able to delete a attachment. you can find the mailhandler in

Input - renattach

I've installed and integrated the program renattach. exist on Debian 10 as renattach_1.2.4-5_amd64.deb in Debian Main repository. Renattach is a small, efficient and surprisingly effective filter designed primarily to offer an additional level of safety to Windows users whose e-mails pass...

talk.plesk.com

Probably there must be a small modification. renattach removes all appended files or parts, if requested.

Not tested ever, but some code in mailhandler for reattach should change to

eval {

      # read input


        binmode STDIN;

         if ( $byte_size=read (STDIN, $buffer, $buffer_size) ) {
            if ( $buffer =~ /X-Spam-Virus: Yes /) {

                   open RENATT,"|-", "$renattach_bin", "$renattach_arg" or die "LOG RENATTACH unable to open $renattach_bin\n";

                    # if error --> eval should throw exception before "PASS", so do open pipe first
                     print STDERR "LOG RENATTACH mail piped to renattach";
                     print STDERR "PASS\n";
              
                      print RENATT "$buffer" || die "LOG RENATTACH error during spooling maildata: $!"

                       while ( $byte_size=read (STDIN, $buffer, $buffer_size) )
                       {
                                print RENATT "$buffer" || die "LOG RENATTACH error during spooling maildata: $!";
                        }

                        close RENATT;
            } else {
                        print STDERR "LOG RENATTACH mail send to STDOUT bypassing renattach!";
                        print STDERR "PASS\n";

                        print STDOUT "$buffer" || die "LOG RENATTACH error during spooling maildata: $!"
                
                         while ( $byte_size=read (STDIN, $buffer, $buffer_size) )
                          {
                                    print STDOUT "$buffer" || die "LOG RENATTACH error during spooling maildata: $!";
                          }
            }
    } else {
            print STDERR "LOG RENATTACH error no input: $!";
    }
};

AS I SAID UNTESTED, maybe next time in renattach handler, maybe

Lets take a look on the code:
We read STDIN into a buffer. because 32K all header should be read. If found signature header "X-Spam-Virus: Yes" we pipe the mail trough renattach program which is configured to remove appended parts.

If "X-Spam-Virus: Yes" not found, mail is passed directly to STDOUT bypassing renattach, so mail is unchanged
regards Peter
PS: We should change to the renattach thread if trying to implrment this. its a better place to talk about renattach

 

[andreios]

Right now your script runs since a few hours without problems, thank you for that. The only Problem for me seems to be the rejecting behavior. Best practice would be to, for authenticated users to reject but give them a message why, and for everything else to discard and give the recieving user(s) a message what happened, maybe in there spam folder so they are not distracted.

 

[andreios]

As in my network I have only trustworthy people, in all other cases I would only discard never reject.

 

[andreios]

I can still send the EICAR test pattern to my other account when I forward the message. Hitd thinks everything is fine.

 

[hitd]

I can still send the EICAR test pattern to my other account when I forward the message. Hitd thinks everything is fine.

Can you post the part of maillog for this and result of "plesk sbin mail_handlers_control --list | grep -i virus"

 

[andreios]

Mar 20 15:42:16 server postfix/smtpd[313887]: E78D345A0F31: client=dynamic[*.*.*.*], sasl_method=PLAIN, [email protected]
Mar 20 15:42:16 server psa-pc-remote[787]: E78D345A0F31: from=<[email protected]> to=<[email protected]>
Mar 20 15:42:17 server postfix/cleanup[313893]: E78D345A0F31: message-id=<[email protected]>
Mar 20 15:42:17 server psa-pc-remote[787]: E78D345A0F31: check-quota: stderr: SKIP
Mar 20 15:42:17 server psa-pc-remote[787]: E78D345A0F31: spf: stderr: PASS
Mar 20 15:42:17 server psa-pc-remote[787]: E78D345A0F31: hitd-virus-handler: stderr: LOG HITDVIRUS ClamAV 0.103.5/26487/Sun Mar 20 09:39:40 2022
Mar 20 15:42:17 server psa-pc-remote[787]: E78D345A0F31: hitd-virus-handler: stderr: LOG HITDVIRUS ClamAV clean ( no virus )
Mar 20 15:42:17 server psa-pc-remote[787]: E78D345A0F31: hitd-virus-handler: stderr: LOG HITDVIRUS drweb Base timestamp: 2022-03-20
Mar 20 15:42:17 server psa-pc-remote[787]: E78D345A0F31: hitd-virus-handler: stderr: LOG HITDVIRUS drweb RC=0
Mar 20 15:42:17 server psa-pc-remote[787]: E78D345A0F31: hitd-virus-handler: stderr: LOG HITDVIRUS drweb STDERR Results: daemon return code 0x100000 (after scanning/curing composite object is clean)
Mar 20 15:42:17 server psa-pc-remote[787]: E78D345A0F31: hitd-virus-handler: stderr: LOG HITDVIRUS result: PASS exit: 0
Mar 20 15:42:17 server psa-pc-remote[787]: E78D345A0F31: hitd-virus-handler: stderr: PASS
Mar 20 15:42:17 server psa-pc-remote[787]: E78D345A0F31: dk_sign: stderr: PASS
Mar 20 15:42:17 server postfix/qmgr[12306]: E78D345A0F31: from=<[email protected]>, size=1206, nrcpt=1 (queue active)
Mar 20 15:42:17 server postfix/smtp[313909]: E78D345A0F31: to=<[email protected]>, relay=mail.server2.net[*.*.*.*]:25, delay=0.63, delays=0.35/0.01/0.13/0.14, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DAC4D402E2C)
Mar 20 15:42:17 server postfix/qmgr[12306]: E78D345A0F31: removed

plesk sbin mail_handlers_control --list | grep -i virus
| X | X | 45 | all | virushandler | global | before-queue |

I have send this message via "sendmail [email protected] < eicar-signature.txt"

eicar-signature.txt:

From: [email protected]
To: [email protected]
Subject: test - virus scanner test pattern

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

 

[hitd]

Sorry, i'm unable to reproduce, because sendmail not installed.

first: can you post the test-mail with all headers

second: i've appended hitd-mailq-check

thats intended to check length of mailqueue every about 5-10 min from cron. Both scripts are located usualy in /usr/local/bin

However you only need hitd-directmail

test then

# hitd-directmail -t [email protected] -s ziel.server.de.de test 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'

Background:
hitd-mailq-chech asks (bash) for length of mailqueue. experience told me. that servers hacked by spamers grows up in lemgth of mailq. To warn admin about, ive wrote a tool which bypasses local mailserver. test is subject then eicar-test becomes 1st line of mailbody. -t target-emai-address -s is smtp-host-to-use

i tested here
Mar 20 16:57:37 puck983 psa-pc-remote[17657]: 61E765CC0577: hitd-virus-handler: stderr: LOG HITDVIRUS ClamAV 0.103.5/26487/Sun Mar 20 09:39:40 2022
Mar 20 16:57:37 puck983 psa-pc-remote[17657]: 61E765CC0577: hitd-virus-handler: stderr: LOG HITDVIRUS ClamAV clean ( no virus )
Mar 20 16:57:38 puck983 psa-pc-remote[17657]: 61E765CC0577: hitd-virus-handler: stderr: LOG HITDVIRUS drweb Base timestamp: 2022-03-20
Mar 20 16:57:38 puck983 psa-pc-remote[17657]: 61E765CC0577: hitd-virus-handler: stderr: LOG HITDVIRUS drweb RC=256
Mar 20 16:57:38 puck983 psa-pc-remote[17657]: 61E765CC0577: hitd-virus-handler: stderr: LOG HITDVIRUS drweb STDOUT ----- Dr.Web found viruses list begin -----
Mar 20 16:57:38 puck983 psa-pc-remote[17657]: 61E765CC0577: hitd-virus-handler: stderr: LOG HITDVIRUS drweb STDOUT Known virus(es):
Mar 20 16:57:38 puck983 psa-pc-remote[17657]: 61E765CC0577: hitd-virus-handler: stderr: LOG HITDVIRUS drweb STDOUT EICAR Test File (NOT a Virus!)
Mar 20 16:57:38 puck983 psa-pc-remote[17657]: 61E765CC0577: hitd-virus-handler: stderr: LOG HITDVIRUS drweb STDOUT ----- Dr.Web found viruses list end -----
Mar 20 16:57:38 puck983 psa-pc-remote[17657]: 61E765CC0577: hitd-virus-handler: stderr: LOG HITDVIRUS drweb STDERR Results: daemon return code 0x20 (known virus is found)
Mar 20 16:57:38 puck983 psa-pc-remote[17657]: 61E765CC0577: hitd-virus-handler: stderr: LOG HITDVIRUS drweb result: REJECT VIRUS EICAR Test File (NOT a Virus!)
Mar 20 16:57:38 puck983 psa-pc-remote[17657]: 61E765CC0577: hitd-virus-handler: stderr: REJECT VIRUS EICAR Test File (NOT a Virus!)

Peter

 

[andreios]

Can one rewrite the script so that every positive mail get silently quarantined?

 

[andreios]

hitd directmail errror message:
Can't locate Log/Any.pm in @INC (you may need to install the Log::Any module)

 

[hitd]

hitd directmail errror message:
Can't locate Log/Any.pm in @INC (you may need to install the Log::Any module)

of course there are some perl modules to be installed.

Log::Any is

perl-Log-Any-0.15-3.el7.noarch.rpm in epel repository for centos 7

debian 10
root@puck983:/usr/local/bin# apt list --installed | grep -i log-any

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

liblog-any-perl/oldstable,oldstable,now 1.707-1 all [installiert]
root@puck983:/usr/local/bin#

probably some other perl podules are missing. MIME::Lite i think, and Getopt:Long They must be installed from the repositories of the distribution you use.

however, the other way: please let me know the target email address by private mail to peter (at) service.heirich.eu

then i use my hitd-directmail to trigger eicar from puck983. Also please use sendmail to send out your eicar-signature.txt to the email address above, so i can see if this triggers here.

 

[hitd]

Can one rewrite the script so that every positive mail get silently quarantined?

That's not easy.

Most important problem is way back in case of false positive.

Current version of script stores email within memory in most cases, except a long email ( i.e. appended file ) or sophos, because handling by sophos is check by file. clamav and drweb are able to check files as streams, so they can come from a variable.

However, if we know if it is a virus or not, the script can answer "STOP" if virus found and mail is discarted. Because mail is still in memory or a temporary file in this moment, the mail could be written to a directory.

However, clamav and drweb version 6 does not contain on access file scan. if virus and we wrote to a file, on access scan will be triggered. if using sophos there must be configured some exeptions. In case of write to quarantine dir, must also bee an exception for this one.

Next: file in quarantine directory must get a name, probably by current date and some random. Because we know the recipient from commandline, there could be build a directory structure like /var/spool/quarantine/$recipient_domain/$recipient_user and best format is SMTP with Envelope, like uucp does using bsmtp. So there could be a webpage to view these mails and inject again, in case of false positives.

But because false positive, how to prevent to trigger a false positive again, if try to inject again the mail.

 

[andreios]

I don't use sophos. I use another server with amavis + clamav and fangfrisch, never had an false positive in the last like 5 years, and I get a notice about every virus mail found.