Articles in this section

Emails with valid archived files in attachement are blocked by `drwebd` service

Kuzma Ivanov
Updated
Plesk for Linux kb: technical ABT: Group A

Applicable to:

  • Plesk for Linux

Symptoms

  • Emails with valid archived files in attachments are blocked by drwebd service:

    PLESK_INFO: A message with the following attributes was not delivered because it contains an object which violates archive restrictions and cannot be checked by antivirus filter.
    Relaying such messages is blocked by administrator.

  • A similar message can be found in the antivirus report and in the sender's mailbox:

    CONFIG_TEXT: --- Antivirus report ---
    Detailed report:
    127.0.0.1 [26365] drweb.tmp.g2tuDx - archive MAIL
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/4.part - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/6.part - archive RAR
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Green\acc hrms bk 16-12-2015.bak - Ok
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Green\erp 16-12-2015.bak - Ok
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Green\Hrms-Green 16-12-2015.bak - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/6.part - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/7.part - archive RAR
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps\16-12-2015ece.bak - Ok
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps\16-12-2015erp.bak - Ok
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps\16-12-2015hrms.bak - file too large skipped
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps\16-12-2015ies.bak - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/7.part - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/8.part - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/9.reexport - Ok
    127.0.0.1 [26365] drweb.tmp.g2tuDx - Ok

    Scanning statistic:
    Archive restriction : 1

  • The Switch on antivirus protection for this email address option is enabled and Check for viruses is set to Incoming and outgoing mail in Domains > example.com > Email Addresses > user@example.com > Antivirus.

  • A similar error is present in /var/log/messages:

    CONFIG_TEXT: drwebd.real: 127.0.0.1 [18812] >>>/var/spool/drweb/spool/drweb.tmp.qFHUZK/4.part/file.exe - - timeout!

Cause

The issue caused by insufficient values of MaxFileSizeToExtract and FileTimeout parameters of Plesk Premium Antivirus package.

Resolution

  • Increase maximum archive sizes and timeouts:

    Note: Too high values might cause Denial of Service (DoS) attacks possible by consuming too much server resources.

    1. Connect to the server via SSH

    2. Edit file /etc/drweb/drweb_handler.conf by setting ArchiveRestriction as follows:

      CONFIG_TEXT: ArchiveRestriction = pass

    3. Edit file /etc/drweb/drweb32.ini and increase the value for the parameters FileTimeout and MaxFileSizeToExtract:

      CONFIG_TEXT: FileTimeout = 60
      MaxFileSizeToExtract = 100000

      Note: Value of the MaxFileSizeToExtract variable can be changed as desired

    4. Restart Plesk Premium Antivirus in Tools & Settings > Services Management to apply changes.

 

  • Disable antivirus notifications completely:

    1. Connect to the server via SSH

    2. Edit file /etc/drweb/drweb_handler.conf and disable SenderNotify and AdminNotify for ArchiveRestrictionNotifications:

      CONFIG_TEXT: [ArchiveRestrictionNotifications]
      SenderNotify = no
      AdminNotify = no

    3. Restart Plesk Premium Antivirus and SMTP Server in Tools & Settings > Services Management to apply changes.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.