• 注册日期: 2010-01-05
  • 文章数: 31

主题: 如何关闭ClamAV-clamd的PDF文件检查

Two viruses were found:
  Exploit.PDF-22610(3a6f6bc64bd3fa36666385767f2b58b0:926454), Exploit.PDF-22610(82dfea702439669d850582516766ef9f:682526)

Bad header:
  Non-encoded 8-bit data (char D2 hex): Subject: Fw:
    \322\273\312\265\315\342\273\343\265\307\274\307\326\244
Scanner detecting a virus: ClamAV-clamd

Content type: Virus
Internal reference code for the message is 07517-17/iSOwArvRfTAC

First upstream SMTP client IP address: [210.13.93.94] According to a 'Received:' trace, the message apparently originated at:
  [210.13.93.94], DJKADM001 unknown [210.13.93.94]

Return-Path: <xxx@xxx.com>
From: <xxx@xxx.com>
Message-ID: <572B49CD52844CAF8C4809EC6205D772@DJKADM001>
Subject: Fw: xxxxxx
The message has been quarantined as: virus-iSOwArvRfTAC

Notification to sender will not be mailed.

The message WAS NOT relayed to:
<xxx@xxxx.com>:
   554 5.7.0 Reject, id=07517-17 - INFECTED: Exploit.PDF-22610(3a6f6bc64bd3fa36666385767f2b58b0:926454), Exploit.PDF-2261...

Virus scanner output:
  p006: Exploit.PDF-22610(3a6f6bc64bd3fa36666385767f2b58b0:926454) FOUND
  p003: Exploit.PDF-22610(82dfea702439669d850582516766ef9f:682526) FOUND

在公司里内部转发出现以上的pdf病毒,但是这个pdf文件是理光扫描仪直接出来的pdf文件,不可能有病毒
能否关闭clamav pdf文件扫描呢?

公司里常用pdf文件,影响很大,谢谢

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: 如何关闭ClamAV-clamd的PDF文件检查

在 /etc/amavisd.conf 里找到这几段:

$policy_bank{'MYNETS'} = {}
$policy_bank{'ORIGINATING'} = {}
$policy_bank{'MYUSERS'} = {} # 这一个在旧版本 iredmail 里没有,所以可以不用

在上面几个设置的大括号内,加入这么一句:

bypass_virus_checks_maps => [1],

重启 amavisd 后,所有你的用户发出去的邮件都不会做病毒检测,包括 PDF 和其它各种类型的文件,但对于收到的外部邮件仍然会做检测。

3 jackwjy回复 最后由 jackwjy (2010-12-28 13:06:31) 编辑

  • 注册日期: 2010-01-05
  • 文章数: 31

回复: 如何关闭ClamAV-clamd的PDF文件检查

maillog
Dec 28 12:54:05 mail amavis[2790]: (02790-06) Blocked INFECTED (Exploit.PDF-22610(f60cfc7e5ee22c0382f3535fab9c5cbc:930379), Exploit.PDF-22610(82dfea702439669d850582516766ef9f:682526)), LOCAL [58.246.3.174] [58.246.3.174] <jack@lanever.com> -> <jackwjy@gmail.com>, quarantine: virus-kqVOxqD2BWzF, Message-ID: <47D1244287FC417083444F48DA9FC5B7@JackT400>, mail_id: kqVOxqD2BWzF, Hits: -, size: 942584, 641 ms
Dec 28 12:54:05 mail postfix/smtp[3490]: AA9A438B0708: to=<jackwjy@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.8, delays=7.2/0.01/0/0.65, dsn=2.5.0, status=sent (250 2.5.0 Ok, id=02790-06, DISCARD(bounce.suppressed))
Dec 28 12:54:05 mail postfix/qmgr[2783]: AA9A438B0708: removed

clamd.log
Tue Dec 28 12:54:05 2010 -> /var/amavis/tmp/amavis-20101228T124909-02790/parts/p007: Exploit.PDF-22610 FOUND
Tue Dec 28 12:54:05 2010 -> /var/amavis/tmp/amavis-20101228T124909-02790/parts/p003: Exploit.PDF-22610 FOUND


amavisd.conf

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients
  bypass_virus_checks_maps => [1],
  allow_disclaimers => 1, # enables disclaimer insertion if available
};

# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10026) for filtering
$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["root\@$mydomain"],
  spam_admin_maps  => ["root\@$mydomain"],
  warnbadhsender   => 1,
  bypass_virus_checks_maps => [1],
  # forward to a smtpd service providing DKIM signing service
  forward_method => 'smtp:[127.0.0.1]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};


还是不行啊,amavisd.conf修改好以后已经重启服务器了,还是被过滤

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: 如何关闭ClamAV-clamd的PDF文件检查

你升级了 clamav 的病毒库没?

5 jackwjy回复 最后由 jackwjy (2010-12-28 14:44:38) 编辑

  • 注册日期: 2010-01-05
  • 文章数: 31

回复: 如何关闭ClamAV-clamd的PDF文件检查

[root@mail local]# sudo freshclam
ClamAV update process started at Tue Dec 28 14:28:26 2010
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
daily.cld is up to date (version: 12446, sigs: 12211, f-level: 58, builder: guitar)
bytecode.cld is up to date (version: 114, sigs: 27, f-level: 58, builder: edwin)
[root@mail local]#


已经更新到最新的了,还是老样子

  • 注册日期: 2010-01-05
  • 文章数: 31

回复: 如何关闭ClamAV-clamd的PDF文件检查

有人可以解决吗?
难道只能关闭ClamAV啦
sad

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: 如何关闭ClamAV-clamd的PDF文件检查

/etc/clamd.conf 里有一个 "ScanPDF yes",将它改为 no,并重启 clamav 试试。

如果还不行,就在 /etc/amavisd.conf 的顶部找到这句:

# @bypass_virus_checks_maps = (1);

将这一行的注释去掉,重启 amavisd,就不会再调用 ClamAV 了。

  • 注册日期: 2010-01-05
  • 文章数: 31

回复: 如何关闭ClamAV-clamd的PDF文件检查

ZhangHuangbin 写道:

/etc/clamd.conf 里有一个 "ScanPDF yes",将它改为 no,并重启 clamav 试试。

如果还不行,就在 /etc/amavisd.conf 的顶部找到这句:

# @bypass_virus_checks_maps = (1);

将这一行的注释去掉,重启 amavisd,就不会再调用 ClamAV 了。

ScanPDF yes 这个我是最早就改成 no 了

关闭ClamAV是最后的办法了 sad