iRedMail 开源邮件服务解决方案 - 如何关闭ClamAV-clamd的PDF文件检查

回复: 如何关闭ClamAV-clamd的PDF文件检查

null@example.com (jackwjy) — Tue, 28 Dec 2010 08:21:35 +0000

ZhangHuangbin 写道:

/etc/clamd.conf 里有一个 "ScanPDF yes"，将它改为 no，并重启 clamav 试试。
如果还不行，就在 /etc/amavisd.conf 的顶部找到这句：
# @bypass_virus_checks_maps = (1);
将这一行的注释去掉，重启 amavisd，就不会再调用 ClamAV 了。

ScanPDF yes 这个我是最早就改成 no 了

关闭ClamAV是最后的办法了

回复: 如何关闭ClamAV-clamd的PDF文件检查

null@example.com (ZhangHuangbin) — Tue, 28 Dec 2010 07:54:53 +0000

/etc/clamd.conf 里有一个 "ScanPDF yes"，将它改为 no，并重启 clamav 试试。

如果还不行，就在 /etc/amavisd.conf 的顶部找到这句：

# @bypass_virus_checks_maps = (1);

将这一行的注释去掉，重启 amavisd，就不会再调用 ClamAV 了。

回复: 如何关闭ClamAV-clamd的PDF文件检查

null@example.com (jackwjy) — Tue, 28 Dec 2010 07:26:20 +0000

有人可以解决吗？
难道只能关闭ClamAV啦

回复: 如何关闭ClamAV-clamd的PDF文件检查

null@example.com (jackwjy) — Tue, 28 Dec 2010 06:32:39 +0000

[root@mail local]# sudo freshclam
ClamAV update process started at Tue Dec 28 14:28:26 2010
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
daily.cld is up to date (version: 12446, sigs: 12211, f-level: 58, builder: guitar)
bytecode.cld is up to date (version: 114, sigs: 27, f-level: 58, builder: edwin)
[root@mail local]#

已经更新到最新的了，还是老样子

回复: 如何关闭ClamAV-clamd的PDF文件检查

null@example.com (ZhangHuangbin) — Tue, 28 Dec 2010 05:46:37 +0000

你升级了 clamav 的病毒库没？

回复: 如何关闭ClamAV-clamd的PDF文件检查

null@example.com (jackwjy) — Tue, 28 Dec 2010 05:05:21 +0000

maillog
Dec 28 12:54:05 mail amavis[2790]: (02790-06) Blocked INFECTED (Exploit.PDF-22610(f60cfc7e5ee22c0382f3535fab9c5cbc:930379), Exploit.PDF-22610(82dfea702439669d850582516766ef9f:682526)), LOCAL [58.246.3.174] [58.246.3.174] -> , quarantine: virus-kqVOxqD2BWzF, Message-ID: <47D1244287FC417083444F48DA9FC5B7@JackT400>, mail_id: kqVOxqD2BWzF, Hits: -, size: 942584, 641 ms
Dec 28 12:54:05 mail postfix/smtp[3490]: AA9A438B0708: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=7.8, delays=7.2/0.01/0/0.65, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=02790-06, DISCARD(bounce.suppressed))
Dec 28 12:54:05 mail postfix/qmgr[2783]: AA9A438B0708: removed

clamd.log
Tue Dec 28 12:54:05 2010 -> /var/amavis/tmp/amavis-20101228T124909-02790/parts/p007: Exploit.PDF-22610 FOUND
Tue Dec 28 12:54:05 2010 -> /var/amavis/tmp/amavis-20101228T124909-02790/parts/p003: Exploit.PDF-22610 FOUND

amavisd.conf

$policy_bank{'MYNETS'} = { # mail originating from @mynetworks
originating => 1, # is true in MYNETS by default, but let's make it explicit
os_fingerprint_method => undef, # don't query p0f for internal clients
bypass_virus_checks_maps => [1],
allow_disclaimers => 1, # enables disclaimer insertion if available
};

# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10026) for filtering
$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 1, # enables disclaimer insertion if available
# notify administrator of locally originating malware
virus_admin_maps => ["root\@$mydomain"],
spam_admin_maps => ["root\@$mydomain"],
warnbadhsender => 1,
bypass_virus_checks_maps => [1],
# forward to a smtpd service providing DKIM signing service
forward_method => 'smtp:[127.0.0.1]:10027',
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1], # allow sending any file names and types
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
};

还是不行啊，amavisd.conf修改好以后已经重启服务器了，还是被过滤

回复: 如何关闭ClamAV-clamd的PDF文件检查

null@example.com (ZhangHuangbin) — Tue, 28 Dec 2010 03:53:23 +0000

在 /etc/amavisd.conf 里找到这几段：

$policy_bank{'MYNETS'} = {}
$policy_bank{'ORIGINATING'} = {}
$policy_bank{'MYUSERS'} = {} # 这一个在旧版本 iredmail 里没有，所以可以不用

在上面几个设置的大括号内，加入这么一句：

bypass_virus_checks_maps => [1],

重启 amavisd 后，所有你的用户发出去的邮件都不会做病毒检测，包括 PDF 和其它各种类型的文件，但对于收到的外部邮件仍然会做检测。

如何关闭ClamAV-clamd的PDF文件检查

null@example.com (jackwjy) — Tue, 28 Dec 2010 03:31:00 +0000

Two viruses were found:
Exploit.PDF-22610(3a6f6bc64bd3fa36666385767f2b58b0:926454), Exploit.PDF-22610(82dfea702439669d850582516766ef9f:682526)

Bad header:
Non-encoded 8-bit data (char D2 hex): Subject: Fw:
\322\273\312\265\315\342\273\343\265\307\274\307\326\244
Scanner detecting a virus: ClamAV-clamd

Content type: Virus
Internal reference code for the message is 07517-17/iSOwArvRfTAC

First upstream SMTP client IP address: [210.13.93.94] According to a 'Received:' trace, the message apparently originated at:
[210.13.93.94], DJKADM001 unknown [210.13.93.94]

Return-Path:
From:
Message-ID: <572B49CD52844CAF8C4809EC6205D772@DJKADM001>
Subject: Fw: xxxxxx
The message has been quarantined as: virus-iSOwArvRfTAC

Notification to sender will not be mailed.

The message WAS NOT relayed to:
:
554 5.7.0 Reject, id=07517-17 - INFECTED: Exploit.PDF-22610(3a6f6bc64bd3fa36666385767f2b58b0:926454), Exploit.PDF-2261...

Virus scanner output:
p006: Exploit.PDF-22610(3a6f6bc64bd3fa36666385767f2b58b0:926454) FOUND
p003: Exploit.PDF-22610(82dfea702439669d850582516766ef9f:682526) FOUND

在公司里内部转发出现以上的pdf病毒，但是这个pdf文件是理光扫描仪直接出来的pdf文件，不可能有病毒
能否关闭clamav pdf文件扫描呢？

公司里常用pdf文件，影响很大，谢谢