Incoming email (with attachment) going to Holding Q (MD v21.5.3) | MDaemon Technologies, Ltd.

Incoming email (with attachment) going to Holding Q (MD v21.5.3)


  • Hi there,

    Would like to know why certain incoming email with attachment going to HOLDING Q? After checking inside anti-virus log, I can see error scanning for the attachment file.

    Wed 2023-05-24 10:01:51.085: MDaemon AntiVirus processing d:\mdaemon\localq\md5001016172766.msg...
    Wed 2023-05-24 10:01:51.085: * Message return-path: academy@mef.org.my
    Wed 2023-05-24 10:01:51.085: * Message from: academy@mef.org.my
    Wed 2023-05-24 10:01:51.085: * Message to: c****n@*****.com
    Wed 2023-05-24 10:01:51.085: * Message subject: Upcoming events: HRDC CERTIFIED TRAIN THE TRAINER; EXCELLENT CLERICAL SKILLS FOR ORGANISATIONAL SUCCESS; OCCUPATIONAL SAFETY & HEALTH COORDINATOR TRAINED PERSON
    Wed 2023-05-24 10:01:51.085: * Message ID: <186084821925681164511279@ACADEMY16>
    Wed 2023-05-24 10:01:51.085: Start MDaemon AntiVirus results 
    Wed 2023-05-24 10:01:51.093: * IKARUS AV: clean  (0.00811 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd278241192.hdr
    Wed 2023-05-24 10:01:51.116: * ClamAV: clean  (0.02329 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd278241192.hdr
    Wed 2023-05-24 10:01:51.118: * IKARUS AV: clean  (0.00130 s) D:\MDAEMON\CFilter\WORK\2381621016\pd623716350.txt
    Wed 2023-05-24 10:01:51.143: * ClamAV: clean  (0.02512 s) D:\MDAEMON\CFilter\WORK\2381621016\pd623716350.txt
    Wed 2023-05-24 10:01:51.144: * IKARUS AV: clean  (0.00100 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd423117816.att
    Wed 2023-05-24 10:01:51.146: * ClamAV: clean  (0.00203 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd423117816.att
    Wed 2023-05-24 10:01:51.167: * IKARUS AV: non-scan  (0.02080 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd2099411999.att
    Wed 2023-05-24 10:01:51.167: * (IKARUS AV) Brochure - OSH Trained Person 6-8 June 2023_.pdf could not be scanned - 
    Wed 2023-05-24 10:01:51.169: * ClamAV: error  (0.00200 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd2099411999.att
    Wed 2023-05-24 10:01:51.169: * Error: unexpected error while doing virus scan! Brochure - OSH Trained Person 6-8 June 2023_.pdf
    Wed 2023-05-24 10:01:51.169: * clamd-error
    Wed 2023-05-24 10:01:51.172: * IKARUS AV: clean  (0.00303 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd1719212828.att
    Wed 2023-05-24 10:01:51.177: * ClamAV: clean  (0.00434 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd1719212828.att
    Wed 2023-05-24 10:01:51.178: * IKARUS AV: clean  (0.00115 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd729918293.att
    Wed 2023-05-24 10:01:51.180: * ClamAV: clean  (0.00229 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd729918293.att
    Wed 2023-05-24 10:01:51.180: * Total attachments scanned    : 5 (including multipart/alternatives and message body)
    Wed 2023-05-24 10:01:51.180: * Total attachments infected   : 0
    Wed 2023-05-24 10:01:51.180: * Total attachments disinfected: 0
    Wed 2023-05-24 10:01:51.180: * Total errors while scanning  : 1
    Wed 2023-05-24 10:01:51.180: * Total attachments removed    : 0
    Wed 2023-05-24 10:01:51.324: End of MDaemon AntiVirus results
    Wed 2023-05-24 10:01:51.324: ----------

     



  • From the MDaemon PC GUI "Help" file:

     

    -- Begin paste -----------------------------------------------------------------

    Queues > Mail Queues > Holding Queue


    The Holding Queue, located under Queues > Mail Queues can be used to receive messages that cause software exceptions during AntiVirus, AntiSpam, or Content Filter processing. If a software error occurs when processing a message it will be moved into the holding queue and not delivered.

    Messages placed into the holding queue will stay there until the administrator takes some action to remove them. There is a Process Holding Queue button on MDaemon's toolbar and an identical option on the Queues menu bar. You can also process the messages by right-clicking the holding queue on the main interface and then selecting "Re-Queue" from the right-click menu. Processing the holding queue will move all of its messages into either the remote or local queues for normal mail processing. If the error that caused a message to be placed into the holding queue still exists then that message will be placed back into the holding queue when the error reoccurs. If you want to attempt to deliver the holding queue's messages regardless of any error which might occur, then you can do so by right-clicking the holding queue on the main interface and then selecting "Release" from the right-click menu. When releasing messages from the holding queue a confirmation box will open to remind you that the messages could contain viruses or otherwise not be able to filter properly through the Content Filter, AntiSpam and/or AntiVirus engines.

    -- End paste -------------------------------------------------------------------

     

    Following is the log snippet that you provided. Not the emboldened text in red:


    -- Begin paste -----------------------------------------------------------------

    Wed 2023-05-24 10:01:51.085: MDaemon AntiVirus processing d:\mdaemon\localq\md5001016172766.msg...
    Wed 2023-05-24 10:01:51.085: * Message return-path: academy@mef.org.my
    Wed 2023-05-24 10:01:51.085: * Message from: academy@mef.org.my
    Wed 2023-05-24 10:01:51.085: * Message to: c****n@*****.com
    Wed 2023-05-24 10:01:51.085: * Message subject: Upcoming events: HRDC CERTIFIED TRAIN THE TRAINER; EXCELLENT CLERICAL SKILLS FOR ORGANISATIONAL SUCCESS; OCCUPATIONAL SAFETY & HEALTH COORDINATOR TRAINED PERSON
    Wed 2023-05-24 10:01:51.085: * Message ID: <186084821925681164511279@ACADEMY16>
    Wed 2023-05-24 10:01:51.085: Start MDaemon AntiVirus results 
    Wed 2023-05-24 10:01:51.093: * IKARUS AV: clean  (0.00811 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd278241192.hdr
    Wed 2023-05-24 10:01:51.116: * ClamAV: clean  (0.02329 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd278241192.hdr
    Wed 2023-05-24 10:01:51.118: * IKARUS AV: clean  (0.00130 s) D:\MDAEMON\CFilter\WORK\2381621016\pd623716350.txt
    Wed 2023-05-24 10:01:51.143: * ClamAV: clean  (0.02512 s) D:\MDAEMON\CFilter\WORK\2381621016\pd623716350.txt
    Wed 2023-05-24 10:01:51.144: * IKARUS AV: clean  (0.00100 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd423117816.att
    Wed 2023-05-24 10:01:51.146: * ClamAV: clean  (0.00203 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd423117816.att
    Wed 2023-05-24 10:01:51.167: * IKARUS AV: non-scan  (0.02080 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd2099411999.att
    Wed 2023-05-24 10:01:51.167: * (IKARUS AV) Brochure - OSH Trained Person 6-8 June 2023_.pdf could not be scanned - 
    Wed 2023-05-24 10:01:51.169: * ClamAV: error  (0.00200 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd2099411999.att
    Wed 2023-05-24 10:01:51.169: * Error: unexpected error while doing virus scan! Brochure - OSH Trained Person 6-8 June 2023_.pdf
    Wed 2023-05-24 10:01:51.169: * clamd-error
    Wed 2023-05-24 10:01:51.172: * IKARUS AV: clean  (0.00303 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd1719212828.att
    Wed 2023-05-24 10:01:51.177: * ClamAV: clean  (0.00434 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd1719212828.att
    Wed 2023-05-24 10:01:51.178: * IKARUS AV: clean  (0.00115 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd729918293.att
    Wed 2023-05-24 10:01:51.180: * ClamAV: clean  (0.00229 s) D:\MDAEMON\CFilter\TEMP\1269827204\pd729918293.att
    Wed 2023-05-24 10:01:51.180: * Total attachments scanned    : 5 (including multipart/alternatives and message body)
    Wed 2023-05-24 10:01:51.180: * Total attachments infected   : 0
    Wed 2023-05-24 10:01:51.180: * Total attachments disinfected: 0
    Wed 2023-05-24 10:01:51.180: * Total errors while scanning  : 1
    Wed 2023-05-24 10:01:51.180: * Total attachments removed    : 0
    Wed 2023-05-24 10:01:51.324: End of MDaemon AntiVirus results
    Wed 2023-05-24 10:01:51.324: ----------

    -- End paste -------------------------------------------------------------------


    You experienced a software error during MDaemon AntiVirus processing (specifically, the ClamAV Antivirus engine reported an error), so the message was moved to your MDaemon "Holding" queue.

    An email message being processed by MDaemon would also be moved to your "Holding" queue if there were a problem with your MDmaeon "SpamAssasin" processing of that email message, or if there were a problem with the MDaemon "content filter" processing of that email message.

     


  • Hi there,

    The reason it was sent to HOLDING Q is clear to me. My question is why the virus scanner is unable to scan a normal PDF file and causes an error? Due to so many emails being sent to HOLDING Q, I have had to disable anti-virus functions.


  • Is the PDF password protected? 

    What does the scanserver.log file in the \MDaemon\SecurityPlus\Ikarus\scan.server\log\scan\ directory show when the file was scanned?

    What does the clamd log show when the message was scanned by ClamAV?


  • Hi there,

    Attachment file (PDF) is not password protected and I am unable to view the Ikarus log file because it only contains the current and previous day inside the log.


  • Can you send me a copy of the PDF?  

    You can send it to arron.caruth@mdaemon.com.


  • Hi there,

    Already send the attachement to your email.


  • So far I have been unable to reproduce the issue.  

    Are you using the 32 or 64 bit version of MDaemon?

    What is the version of C:\MDaemon\SecurityPlus\Ikarus\scan.server\bin\scanserver_w64.exe?  If you are running the 32 bit version it will just be scanserver.exe.

    What is the version of C:\MDaemon\SecurityPlus\Ikarus\scan.server\ikarust3\t3_w64.dll?

    Can you send me a copy of your C:\MDaemon\SecurityPlus\ClamAVPlugin\conf\clamd.conf  and C:\MDaemon\SecurityPlus\Ikarus\scan.server\conf\scanserver.json files?

     


  • Hi,

    64 bit


  • I'm not seeing anything wrong with the versions of the Ikarus files or the config files for either AV engine.  If you process the message again through MDaemon, does it scan correctly?

    Make sure ClamAV logging is enabled before having MDaemon reprocess the message.  You can do this by going to Security / AntiVirus, click the configure button next to "Use the ClamAV engine to scan messages" and check the box to log clamd activity.

    When sending the message, you can edit the file and change the X-MDaemon-Deliver-To: value to be your account or a test account so that the users don't get confused about receiving a duplicate copy.  Then rename the file to md500000000123.msg and place it in the local queue.  MDaemon should reprocess and redeliver the message.  

    If there are errors during the AV scanning, please send me all of the Ikarus logs from the C:\MDaemon\SecurityPlus\Ikarus\scan.server\log directory and the ClamD log that is created in the MDaemon\Logs directory.

     


  • Hi Arron,

    Thank you for your feedback. Currently we enable back our Anti-Virus function, but disable ClamAV scanning function. So far we have not experienced the same problem.

     


  • If you have an issue again, please get a copy of the scanserver log from the \MDaemon\SecurityPlus\Ikarus\scan.server\log\scan directory as soon as you notice the issue.  This will show us the actual response from the scanning engine.


Please login to reply this topic!