[exim] Virus/Malware errors: extra odd behavior

Top Page
Delete this message
Reply to this message
Author: Dan Egli
Date:  
To: exim-users
Old-Topics: [exim] Virus/Malware errors
Subject: [exim] Virus/Malware errors: extra odd behavior
While testing, I noticed something else completely bizzare. If I run the
malware test as root and place the test file in /root (i.e. # exim
-bmalware ~/eicar.com.txt) get the error I mentioned. But if I put the
same file in /tmp then it doesn't error out:
# exim -bmalware /tmp/eicar.com.txt
No malware found.

NO MALWARE? That's the eicar.com test string! ANY virus scanner will
report that as a virus! And clamdscan WILL report it as a virus:
# clamdscan /tmp/eicar.com.txt
/tmp/eicar.com.txt: Eicar-Signature FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.002 sec (0 m 0 s)

So what the HECK is going on?


On 1/19/2021 12:06 AM, Dan Egli via Exim-users wrote:
> I was looking at a message that had somehow gotten through my spam
> filters to see if I could figure out why, when I discovered a line in
> the header that said the message had not been virus scanned by exim.
> THAT was a surprise. I have clamd running and the exim.conf points to
> it (spamd_address = 127.0.0.1 783), so why on earth is it not
> scanning? I looked, and clamd is running correctly. I even grabbed the
> EICAR.COM test string and fed it to clamdscan. clamd caught it just
> fine. But when I included the string in an email to myself, the
> message was delivered.
>
> My next step was to test the file with the -bmalware option. THAT
> caused an error (from the panic.log):
> 2021-01-18 23:52:21.261 dummy-808545818 Could not open datafile for
> message dummy-808545818
> 2021-01-18 23:52:21.261 dummy-808545818 malware acl condition: error
> while creating mbox spool file
>
> My first thought is WHAT MBOX FILE? I don't use mbox, I use maildir!
> Then I wondered if the permissions on the /var/spool/exim4/scan
> directory were wrong. But they look right for Ubuntu 20.04LTS:
> drwxr-x--- 2 Debian-exim clamav      4096 Jan 19 00:02 scan
>
> On a whim, I changed the permissions to 777, and I STILL got the
> errors about not being able to open the datafile and not being able to
> create the mbox file.
>
> I tried looking on google,  and while I found a lot of messages
> referring to this same kind of error, nothing looked solved. Maybe my
> google-fu isn't strong enough right now, but I'm stumped. Please help!?
>
> Thanks!
>
>