Logout

Alt-N Discussion Groups > MDaemon Discussion Groups > MDaemon Anti-virus Plug-in > Unable to remove ClamAV exclusions

 [F] Alt-N Discussion Groups  / MDaemon Discussion Groups  / MDaemon Anti-virus Plug-in  /

Unable to remove ClamAV exclusions

Hi everyone

For a few months now we’ve been experiencing quite elusive AV issue
(occasional “Error or timeout during inline virus scan“). MD support has
been involved, but we are still unable to resolve it. Experimenting with
different settings I’ve set exclusions for my local users in ClamAV
(added *@wbm.rs in ClamAV plugin -> General -> Configure Exceptions ->
Exclude messages FROM these addresses). Few days after issue occurred
again so I’ve deleted exceptions and went on to try something different.
But I’ve noticed in logs that ClamAV plugin is still reporting
----------
Passing message through ClamAV Plugin
(c:\mdaemon\queues\temp\md50000000806.tmp)...
* Message-ID: <007201d448fb$7c74fd60$755ef820$@wbm.rs>
* Scanning skipped: local.user@wbm.rs is in exclusion list
----------
’ Exclude messages FROM these addresses’ is empty, file "excludes.dat"
located in \Mdaemon\SecurityPlus\ClamAVPlugin contains only 2 lines
[EXCLUDE_TO]
[EXCLUDE_FROM]

I tried adding exception again, then deleting it. I also tried
disabling/re-enabling ClamAV plugin, tried restarting MDaemon. No matter
what I do, ClamAV still reports skipping local users.

Where else can I look? Anyone else seeing this behavior?
Bug?

Regards


  All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items

Tyler Davis - Sep 10, 2018 1:58 pm (#1 Total: 4)  

Alt-N Technical Support  

Photo of Author
Tyler Davis
Frequent
Frequent
Posts: 284

MDaemon
RelayFax
SecurityGateway
Outlook Connector
SecurityPlus
ProtectionPlus
WebAdmin
Which version of MDaemon is installed? Have you tried disabling the plugin in the Security / ClamAV Plugin menu, by removing the "Enable ClamAV Plugin for MDaemon" check box, then re-enabling it? However, you shouldn't have to do this. I added an exclusion to the list, passed a message through the list, verified that the exclusion was taking place, then removed the entry. The below entry was logged in the plug-ins log and messages where then scanned by ClamAV.

Mon 2018-09-10 12:00:00.000: * CAV plugin is reloading...
Mon 2018-09-10 12:00:00.000: * CAV plugin enabled in Plugins.dat.
Mon 2018-09-10 12:00:00.000: * CAV plugin has reloaded successfully.

Once the change is made to the exclusion list in the GUI, do you see the following entries in the MDaemon-YYYYMMDD-Plugins.log file? The default log folder is in the /MDaemon/Logs directory. You can verify the direct path in the Setup / Server Settings / Logging / Log Mode.

--
Tyler Davis
MDaemon Technologies
http://www.mdaemon.com

---------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user
support and discussion. MDaemon staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.altn.com/Support/RequestSupport/
---------------------------------------------------------------------

Aleksandar Devecerski - Sep 10, 2018 4:16 pm (#2 Total: 4)  

 

Photo of Author
Aleksandar Deve…
Newbie
Newbie
Posts: 12
Hello Tyler
Current MDaemon, v18.0.2.
Yes, I tried disabling/re-enabling CAV plugin, but here it is again:
Mon 2018-09-10 22:45:52.027: ----------
Mon 2018-09-10 23:06:10.651: * CAV plugin is reloading...
Mon 2018-09-10 23:06:10.651: * CAV plugin disabled in Plugins.dat.
Mon 2018-09-10 23:06:10.651: * CAV plugin has reloaded successfully.
Mon 2018-09-10 23:06:21.558: * CAV plugin is reloading...
Mon 2018-09-10 23:06:21.558: * CAV plugin enabled in Plugins.dat.
Mon 2018-09-10 23:06:40.777: * CAV plugin has reloaded successfully.
Mon 2018-09-10 23:06:52.433: Passing message through ClamAV Plugin (c:/mdaemon/queues/temp/md50000000600.tmp)...
Mon 2018-09-10 23:06:52.433: * Message-ID: (4e225960-5580-4494-bbb5-482a8516fd7d@wbm.rs)
Mon 2018-09-10 23:06:52.433: * Scanning skipped: aleksandar.devecerski@wbm.rs is in exclusion list
Mon 2018-09-10 23:06:52.433: ----------
Attached is CAV plugins exclusions dialog.
Also tried stopping/re-starting MDaemon.

Regards


CAV Excl

Aleksandar Devecerski - Sep 10, 2018 5:30 pm (#3 Total: 4)  

 

Photo of Author
Aleksandar Deve…
Newbie
Newbie
Posts: 93

MDaemon
RelayFax
SecurityPlus
WebAdmin
Tyler

Tried rebooting MDaemon box. also did not help.
Midnight cleanup job happened soon after, still the same (see log below).
But it looks like following CAV plugin disable/re-enable resolved the
issue!?

Thank you


START Event Log / MDaemon PRO v18.0.2, Plug-ins log information
-------------------------------------------------------------------------------
Event Time/Date Event Description
-------------------------------------------------------------------------------
Tue 2018-09-11 00:09:43.644: Passing message through ClamAV Plugin
(c:\mdaemon\queues\temp\md50000000045.tmp)...
Tue 2018-09-11 00:09:43.644: * Message-ID:
<e5e90266-1e73-2f38-1a81-a926cde51701@wbm.rs>
Tue 2018-09-11 00:09:43.644: * Scanning skipped:
aleksandar.devecerski@wbm.rs is in exclusion list
Tue 2018-09-11 00:09:43.644: ----------
Tue 2018-09-11 00:10:21.223: Passing message through ClamAV Plugin
(c:\mdaemon\queues\temp\md50000000046.tmp)...
Tue 2018-09-11 00:10:21.223: * Message-ID:
<003a01d44953$109a5510$31ceff30$@wbm.rs>
Tue 2018-09-11 00:10:21.223: * Scanning skipped:
vladan.mihailovic@wbm.rs is in exclusion list
Tue 2018-09-11 00:10:21.223: ----------
Tue 2018-09-11 00:12:38.310: * CAV plugin is reloading...
Tue 2018-09-11 00:12:38.310: * CAV plugin disabled in Plugins.dat.
Tue 2018-09-11 00:12:38.310: * CAV plugin has reloaded successfully.
Tue 2018-09-11 00:15:08.318: * CAV plugin is reloading...
Tue 2018-09-11 00:15:08.318: * CAV plugin enabled in Plugins.dat.
Tue 2018-09-11 00:15:27.662: * CAV plugin has reloaded successfully.
Tue 2018-09-11 00:15:46.818: Passing message through ClamAV Plugin
(c:\mdaemon\queues\temp\md50000000071.tmp)...
Tue 2018-09-11 00:15:46.818: * Message-ID:
<ac285417-b811-9844-7c2f-470b38826676@wbm.rs>
Tue 2018-09-11 00:15:46.818: * Virus result: 0 - clean
Tue 2018-09-11 00:15:46.818: ----------
Tue 2018-09-11 00:16:11.100: Passing message through ClamAV Plugin
(c:\mdaemon\queues\temp\md50000000070.tmp)...
Tue 2018-09-11 00:16:11.100: * Message-ID:
<004101d44953$c9582fa0$5c088ee0$@wbm.rs>
Tue 2018-09-11 00:16:11.100: * Virus result: 0 - clean
Tue 2018-09-11 00:16:11.100: ----------

Aleksandar Devecerski - Sep 11, 2018 6:52 am (#4 Total: 4)  

 

Photo of Author
Aleksandar Deve…
Newbie
Newbie
Posts: 12
Well, I guess, it makes sense... now.
It seems that SecurityPlus and CAV plugin share the exclusions, sort of. More precisely, SPs exclusions are also applied to CAV, but not the other way around. CAVs exclusion are only CAVs.
As I was trying to troubleshoot AV problem, I wanted to have both SP and CAV active, but with certain exclusion applied to just one of them. Ill have to rethink this approach.

Regards



  All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items



 Content:

Read New | Search

 Guest:

Email to Admin



You are visiting as a Guest user.