Re: [exim] EXIM not detecting virus emails

On Thursday 22 October 2015 12:54:13 Patrick von der Hagen wrote:
>
> You can confirm that by looking at the log. Just identify the message
> you are concerned about and look for an entry like
>
> /var/spool/exim/scan/1ZpBsO-000EWL-Pv/1ZpBsO-000EWL-Pv.eml: OK in the
> clamav logs.
>
> But your configuration looks ok (though I don't understand the
> greylisting part in a data-acl, since greylisting triggers before data
> is executed.
>

I have found one problem. I have been using mutt under a normal user on the
EXIM server to send the test emails. This was because when I tried sending
from my workstation, the firewall got in the way and cleaned the email first.

For some reason, even though mutt was on the server, the emails still went
through the firewall and was still getting cleaned. Once I forced mutt to
deliver to 127.0.0.1 EXIM / Clamd then saw and blocked the email as it should
have.

> > I am testing with eicar and they are getting delivered. I am doing this
> > using:
> >
> > [gary@ollie2 ~]$ echo test|mutt gary@??? -a eicar.txt -s "EICAR
> > TEST"
>
> what about "clamdscan eicar.txt"? Does clamd work if exim is not
> involved? I suppose Jeremys concern is that clamav might run without a
> singature database (or a broken one) and that's my concern as well.
>

Both clam and Kaspersky detected the file eicar.txt when called from the
command line.

This means that clamav and EXIM are actually working correctly together, but
are not stopping the live virus emails from getting through.

I am going to have another go at getting Kaspersky to work to see if that
works better. My plan is to use the syntax shown in the EXIM docs to call
both anti-virus tasks once I know they both work individually