SM 14 ClamSup problems and how to fix them (temporarily at least)

Problem reported by Joe Wolf - 6/12/2015 at 9:56 PM

Resolved

I've noticed reduced performance of ClamSup in SM 14 and took a look at the configuration. One of the major signature providers has changed their update methods and ClamSup is throwing all kinds of errors. Here's how to fix the problem, but this will only last until you reinstall or update SmarterMail. I'll work on a more permanent solution later.

Locate your SmarterMail/Service/Clam folder and make a backup copy.

Navigate to the SmarterMail/Service/Clam/ClamSup folder and edit the ClamSup.ini file.

Locate the following lines in the ClamSup.ini file:

# SecuriteInfo honeynet.hdb
http://clamav.securiteinfo.com;honeynet.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfobat.hdb
http://clamav.securiteinfo.com;securiteinfobat.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfodos.hdb
http://clamav.securiteinfo.com;securiteinfodos.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfo.hdb
http://clamav.securiteinfo.com;securiteinfo.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfohtml.hdb
http://clamav.securiteinfo.com;securiteinfohtml.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfooffice.hdb
http://clamav.securiteinfo.com;securiteinfooffice.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfopdf.hdb
http://clamav.securiteinfo.com;securiteinfopdf.hdb;N;Y;Y;N;N

Either copy the below lines or edit the existing lines to look like the following (note we're just putting a "-" in front of each download request):

# SecuriteInfo honeynet.hdb
-http://clamav.securiteinfo.com;honeynet.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfobat.hdb
-http://clamav.securiteinfo.com;securiteinfobat.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfodos.hdb
-http://clamav.securiteinfo.com;securiteinfodos.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfo.hdb
-http://clamav.securiteinfo.com;securiteinfo.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfohtml.hdb
-http://clamav.securiteinfo.com;securiteinfohtml.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfooffice.hdb
-http://clamav.securiteinfo.com;securiteinfooffice.hdb;N;Y;Y;N;N
# SecuriteInfo securiteinfopdf.hdb
-http://clamav.securiteinfo.com;securiteinfopdf.hdb;N;Y;Y;N;N

Save the edited ClamSup.ini file.

Locate the ClamSup.error file in the same folder and delete that file. It just contains all the errors from the existing setup.

Navigate to the SmarterMail/Service/Clam/Share/clamav folder and DELETE all files that start with "securite" and also delete the SIG_TMP folder.

In a web browser go to the following site: https://www.securiteinfo.com/services/improve-detection-rate-of-zero-day-malwares-for-clamav.shtml and hit the Get Started button. Enter a valid email address and follow the steps to get an account (it requires you to receive two email messages). Once registered (you don't have to give any information other than your email address) you'll be on a page that has tabs like My Account | Setup | Contact Us, etc. Go to the Setup tab and you'll see a section that says, "Cut and Paste the following lines in your freshclam configuration file (usually /etc/clamav/freshclam.conf)". Copy all six lines.

Navigate to your SmarterMail/Service/Clam/etc folder and edit the freshclam.conf file. You'll see a line that says "MaxAttempts 3" and insert the six lines we copied in the above paragraph below that line. Now we need to get rid of one of those lines since we don't want ClamAV doing spam checking so delete the line that ends with "spam_marketing.ndb" (it should be the 4th line you just insterted into the freshclam.conf). So we now have five new lines inserted in the freshclam.conf and no blank lines... save the freshclam.conf file.

Now navigate back to the SmarterMail/Service/Clam/ClamSup folder and double click on the ClamSup.bat file (run it). It should complete in a few seconds and NO ClamSup.error file should have been created. If you see a ClamSup.error file then you made a mistake and start over.

Now navigate to the SmarterMail/Service/Clam/Share/clamav folder and make sure no files that start with "securite" are present. If so you made a mistake and start over.

Go into your SmarterMail web admin site and go to Security | Anitivirus Administration | ClamAV tab | then hit the Update ClamAV button. You can then watch the SmarterMail/Service/Clam/Share/clamav folder and watch the files that start with "securite" be created. Be patient because this may take a few minutes. If they appear then all is well.

This will correct the ClamSup problems (at least until you reinstall or update SmarterMail).

Thanks,
-Joe

24 Replies

Reply to Thread

CCWH Replied

6/12/2015 at 11:28 PM

Thanks for the info Joe, great work. That might have just made my decision to delay our v14 upgrades this evening! If this is fixable within the next SM release it might be worth waiting for us!

Joe Wolf Replied

6/12/2015 at 11:29 PM

This should apply to those users using my original ClamSup users. I wish I at least got some kind of credit for it. Frustrated. I offered to help and was put on HOLD. It's a shame when someone wants to help but is ex-communicated. Tim, I DO NOT UNDERSTAND WHY. CALL ME AND LET'S TALK. There is SO much more that I've already developed that could be used in SmarterMail. My suggestions just get dropped. is that what you want?????

Thanks, -Joe

Joe Wolf Replied

6/13/2015 at 5:32 AM

As a side note... the above would apply to anyone running ClamSup on any version of SmarterMail. The paths may vary, but the files remain the same.

Thanks, -Joe

CCWH Replied

6/13/2015 at 5:54 AM

I, probably like many others, am surprised to hear you were left out of the ClamSup addition to v14! Especially as it was your initial work...and lots of it that brought ClamSup to all SmarterMail users!

SmarterUser Replied

6/13/2015 at 9:55 AM

Joe, you just need to release your spam solution. I'm fairly certain you'll have a lot of customers willing to pay for it.

CCWH Replied

6/13/2015 at 2:54 PM

Just to add to this - Anyone going through this process - Sign up to Securite BEFORE completing the upgrade/changes or whitelist their email address: www-data [at] securiteinfo [dot] com

I say this as we have our greylisting on all SM servers set to 60 seconds retry....I have now been waiting 30 minutes and their mail server has not retried sending the email.

Joe Wolf Replied

6/13/2015 at 5:21 PM

I'm not looking for any recognition... just trying to provide solutions to help make SmarterMail a better product. To be honest I did suggest to SmarterTools that they should maintain a repository of the signature files that is updated hourly. That would allow all of us to update more often. They apparently didn't like the idea.

Thanks, -Joe

Joe Wolf Replied

6/13/2015 at 5:30 PM

I'm not going to charge anyone for such things. This latest issue needs to resolved by SmarterTools. There are three files that should NOT be removed or overwritten when uninstalling or upgrading SmarterMail. They are specifically clamd.conf, freshclam.conf, and local.cf. These files are where we are supposed to be able to make permanent configuration changes for ClamAV and SpamAssassin. As long as SmarterMail continues to erase those files each time you uninstall or upgrade then it makes the types of things I want to do very difficult. If SmarterTools refuses to cooperate then the solution would be to not use SmarterMail for ClamAV and SpamAssassin and replace it with SpamAssassin In A Box (which is very inexpensive) and you can run ClamAV from inside it instead.

Thanks, -Joe

SmarterUser Replied

6/14/2015 at 1:55 AM

So how would this solution differ when using SpamAssassin in a Box?

Joe Wolf Replied

6/14/2015 at 2:28 AM

SmarterMail would not have the ability to overwrite the configuration files.

Thanks, -Joe

Webio Replied

6/14/2015 at 9:30 PM

Thank you Joe. Regarding other ClamAV issues I had to configure ClamAV as remote service and run it manually and also move configuration files to bin folders because when ClamAV was set as a local service it would not start at all or I saw multiple services being spawned and using 100% CPU. It looks like best solution involving ClamAV is to run it manually as a service separately from SM.

Joe Wolf Replied

6/14/2015 at 10:33 PM

I can't claim to have every SM configuration. The information is hidden from me and I have no access to anyone at ST. That's why I'm working on an external solution. If a person is not willing to spend $30 - $40 per year (or less) then they're not serious (and I won't make a penny off of it). I don't have the time or patients to educate everyone on every detail... just tell everyone what WILL work no matter what. We will end the debate on "what is spam", etc. and move forward with a common goal. Our job is to deliver valid email, our secondary job is to block as much spam as possible and do our best effort to block viruses and malware. It is NOT our job to educate the rest of the world on blocking a mal-configured server or block ANY message (other than viruses and malware) without letting either the sender or recipient know of the disposition of EVERY message. It is irresponsible for us to DELETE any message (unless it's a virus, malware, etc.) based on our arbitrary definition of spam. Sorry to unload on you, but there's so much BS floating around it makes me sick. -Joe

Thanks, -Joe

Webio Replied

6/15/2015 at 1:06 AM

Actually I'm not expecting from you to have all the answers. I just wanted to thank you for your solution because as far as I can see securiteinfo is quite good addition to ClamAV and it's great that you've pointed direction how to use it.

Joe Burkhead Replied

6/15/2015 at 5:25 AM

Joe, thank You! It is due to the efforts of people like you that I have hopes of finally whipping the spam issue. Your willingness to share your knowledge and efforts for the good of others is commendable! I am ready, willing, and anxious to implement your new solution as soon as you are ready to release it.

Hemen Shah Replied

6/15/2015 at 6:06 AM

Hi Joe,

yesterday when i upgraded to SM14 and waited for a while for all signatures to be updated but then there was no clam error file was generated, today i am seeing the way you have described

Date: Mon 06/15/2015
Time: 4:52:28.44
ERROR: A error occured while updating securiteinfopdf.hdb [empty file]. Please check your C:\PROGRA~2\SMARTE~1\SMARTE~1\Service\Clam\ClamSup\ClamSup.ini settings!

so need to follow the way you have suggested is there anything else to be done apart from adding "-" to hdb's

Thanks once again for all proactive efforts and educations.

Cheers.

Steve Reid Replied

6/15/2015 at 6:10 AM

I tried a few email addresses and it says they are all blacklisted. I can't seem to signup.

Webio Replied

6/15/2015 at 7:52 AM

On my end I was getting blacklisted error but after pressing F5 it worked. The same situation I had with using contact form (F5 sent message from contact form)

Steve Reid Replied

6/15/2015 at 8:02 AM

I just tried that from firefox and it still didn't work. I tried again from IE and got the same blacklisted message, however this time F5 worked! Thanks!!

Steve Reid Replied

6/15/2015 at 8:18 AM

Gee Wiz that site is buggy, even to login I had to use the F5 trick

Steve Reid Replied

6/15/2015 at 8:27 AM

Joe I was comparing the ClamSup.ini file to the one from your distro and they seem the same.

What other tests do you recommend that are not running by default in SM?

Joe Wolf Replied

6/15/2015 at 1:13 PM

Right now I can't say. I'm re-evaluating the overall situation and trying to verify the best signatures possible.

Thanks, -Joe

Matt Petty Replied

6/16/2015 at 2:49 PM

Employee Post

This will be fixed in the next minor (very soon).

Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com

Webio Replied

8/21/2015 at 10:47 PM

Hello Joe,

I just wanted to thank you for pointing this solution. IMHO it works great (I'm using paid version). Here you have stats from one of my gateways:

Day	Avg. Active Connections	Connections	Failed Connections
8/16/2015	-	67002	110
8/17/2015	-	88767	87
8/18/2015	-	93291	123
8/19/2015	-	97045	68
8/20/2015	-	87032	136
8/21/2015	-	80421	46
8/22/2015	-	21628	129

Day	Viruses
8/16/2015	51934
8/17/2015	47531
8/18/2015	49616
8/19/2015	48224
8/20/2015	42536
8/21/2015	40299
8/22/2015	15961

I have similar stats from other two of my gateways.Too bad we can't select how Virus in SmarterMail should be handled because I'm interested how disabled marketing DB (spam_marketing.ndb) would perform.

Thanks

EDIT: I'm using standalone ClamAV instance installed on the same Windows system as SmarterMail gateways. I've decided to do that to have better control over ClamAV process and it's updating (I'm using system Scheduled Tasks).

J Lee Replied

10/19/2015 at 5:49 PM

Hi Joe

I have this set up correctly I believe, I see virus listing in the reports but nothing the C:Quarantine folder? If the folder is empty does that mean something is not working.

Thank You for your time.

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273

Back to Community Threads

Please leave this box unchecked

24 Replies

Reply to Thread

Tags

Related Knowledge Base Articles