While testing, I noticed something else completely bizzare. If I run the
malware test as root and place the test file in /root (i.e. # exim
-bmalware ~/eicar.com.txt) get the error I mentioned. But if I put the
same file in /tmp then it doesn't error out:
# exim -bmalware /tmp/eicar.com.txt
No malware found.
NO MALWARE? That's the eicar.com test string! ANY virus scanner will
report that as a virus! And clamdscan WILL report it as a virus:
# clamdscan /tmp/eicar.com.txt
/tmp/eicar.com.txt: Eicar-Signature FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.002 sec (0 m 0 s)
So what the HECK is going on?
On 1/19/2021 12:06 AM, Dan Egli via Exim-users wrote:
I was looking at a message that had somehow gotten through my spam
filters to see if I could figure out why, when I discovered a line in
the header that said the message had not been virus scanned by exim.
THAT was a surprise. I have clamd running and the exim.conf points to
it (spamd_address = 127.0.0.1 783), so why on earth is it not
scanning? I looked, and clamd is running correctly. I even grabbed the
EICAR.COM test string and fed it to clamdscan. clamd caught it just
fine. But when I included the string in an email to myself, the
message was delivered.
My next step was to test the file with the -bmalware option. THAT
caused an error (from the panic.log):
2021-01-18 23:52:21.261 dummy-808545818 Could not open datafile for
message dummy-808545818
2021-01-18 23:52:21.261 dummy-808545818 malware acl condition: error
while creating mbox spool file
My first thought is WHAT MBOX FILE? I don't use mbox, I use maildir!
Then I wondered if the permissions on the /var/spool/exim4/scan
directory were wrong. But they look right for Ubuntu 20.04LTS:
drwxr-x--- 2 Debian-exim clamav 4096 Jan 19 00:02 scan
On a whim, I changed the permissions to 777, and I STILL got the
errors about not being able to open the datafile and not being able to
create the mbox file.
I tried looking on google, and while I found a lot of messages
referring to this same kind of error, nothing looked solved. Maybe my
google-fu isn't strong enough right now, but I'm stumped. Please help!?
Thanks!
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
