Articles in this section

See more

Emails with valid archived files in attachement are blocked by `drwebd` service

Avatar
Mikhail Shport
Updated
Follow
Plesk for Linux kb: technical ABT: Group A

Applicable to:

  • Plesk for Linux

Symptoms

  • Emails with valid archived files in attachments are blocked by drwebd service.

  • A similar message can be found in the antivirus report and in the sender's mailbox:

    CONFIG_TEXT: --- Antivirus report ---
    Detailed report:
    127.0.0.1 [26365] drweb.tmp.g2tuDx - archive MAIL
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/4.part - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/6.part - archive RAR
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Green\acc hrms bk 16-12-2015.bak - Ok
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Green\erp 16-12-2015.bak - Ok
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Green\Hrms-Green 16-12-2015.bak - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/6.part - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/7.part - archive RAR
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps\16-12-2015ece.bak - Ok
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps\16-12-2015erp.bak - Ok
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps\16-12-2015hrms.bak - file too large skipped
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps\16-12-2015ies.bak - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/7.part - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/8.part - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/9.reexport - Ok
    127.0.0.1 [26365] drweb.tmp.g2tuDx - Ok

    Scanning statistic:
    Archive restriction : 1

  • The Switch on antivirus protection for this email address option is enabled and Check for viruses is set to Incoming and outgoing mail in Domains > example.com > Email Addresses > user@example.com > Antivirus.

  • A similar error is present in /var/log/messages:

    CONFIG_TEXT: drwebd.real: 127.0.0.1 [18812] >>>/var/spool/drweb/spool/drweb.tmp.qFHUZK/4.part/file.exe - - timeout!

Cause

The issue caused by insufficient values of MaxFileSizeToExtract and FileTimeout parameters of Plesk Premium Antivirus package.

Resolution

  • Increase maximum archive sizes and timeouts:

    Note: Too high values might cause Denial of Service (DoS) attacks possible by consuming too much server resources.

    1. Connect to the server via SSH

    2. Edit file /etc/drweb/drweb_handler.conf by setting ArchiveRestriction as follows:

      CONFIG_TEXT: ArchiveRestriction = pass

    3. Edit file /etc/drweb/drweb32.ini and increase the value for the parameters FileTimeout and MaxFileSizeToExtract:

      CONFIG_TEXT: FileTimeout = 60
      MaxFileSizeToExtract = 100000

      Note: Value of the MaxFileSizeToExtract variable can be changed as desired

    4. Restart Plesk Premium Antivirus in Tools & Settings > Services Management to apply changes.

  • Disable antivirus notifications completely:

    1. Connect to the server via SSH

    2. Edit file /etc/drweb/drweb_handler.conf and disable SenderNotify and AdminNotify for ArchiveRestrictionNotifications:

      CONFIG_TEXT: [ArchiveRestrictionNotifications]
      SenderNotify = no
      AdminNotify = no

    3. Restart Plesk Premium Antivirus and SMTP Server in Tools & Settings > Services Management to apply changes.

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles