Emails with valid archived files in attachement are blocked by `drwebd` service

Created:

2016-11-16 12:41:25 UTC

Modified:

2017-08-16 16:31:37 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Emails with valid archived files in attachement are blocked by `drwebd` service

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk 11.x for Linux
  • Plesk 12.0 for Linux

Symptoms

Emails with valid archived files in attachement are blocked by drwebd service:

1.The following message in antivirus report:

    --- Antivirus report ---
Detailed report:
127.0.0.1 [26365] drweb.tmp.g2tuDx - archive MAIL
127.0.0.1 [26365] >drweb.tmp.g2tuDx/4.part - Ok
127.0.0.1 [26365] >drweb.tmp.g2tuDx/6.part - archive RAR
127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Green\\acc hrms bk 16-12-2015.bak - Ok
127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Green\\erp 16-12-2015.bak - Ok
127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Green\\Hrms-Green 16-12-2015.bak - Ok
127.0.0.1 [26365] >drweb.tmp.g2tuDx/6.part - Ok
127.0.0.1 [26365] >drweb.tmp.g2tuDx/7.part - archive RAR
127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps\\16-12-2015ece.bak - Ok
127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps\\16-12-2015erp.bak - Ok
127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps\\16-12-2015hrms.bak - file too large skipped
127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps\\16-12-2015ies.bak - Ok
127.0.0.1 [26365] >drweb.tmp.g2tuDx/7.part - Ok
127.0.0.1 [26365] >drweb.tmp.g2tuDx/8.part - Ok
127.0.0.1 [26365] >drweb.tmp.g2tuDx/9.reexport - Ok
127.0.0.1 [26365] drweb.tmp.g2tuDx - Ok

Scanning statistic:
Archive restriction : 1
  1. The following error in /var/log/messages :
    Dec 27 07:18:22 centos drwebd.real: 127.0.0.1 [18812] >>>/var/spool/drweb/spool/drweb.tmp.qFHUZK/4.part/file.exe -  - timeout!

Cause

The issue caused by insufficient values of MaxFileSizeToExtract , FileTimeout parameters of Premium Antivirus package.

Resolution

  1. Set ArchiveRestriction and MaxFileSizeToExtract as follows:

    # grep ArchiveRestriction /etc/drweb/drweb_handler.conf
    ArchiveRestriction = pass

    # grep -ir --color MaxFileSizeToExtract /etc/drweb/drweb32.ini
    MaxFileSizeToExtract = 100000
  2. Increase value for FileTimeout parameter to 45-60 in /etc/drweb/drweb32.ini configuration file:

    # grep FileTimeout /etc/drweb/drweb32.ini
    FileTimeout = 60

Restart Odin Premium Antivirus service in Home > Tools & Settings > Services to apply changes.

Additionally, it is possible to disable notification sending completely. In etc/drweb/drweb_handler.conf file in section Notifications section in subsection [ArchiveRestrictionNotifications] set SenderNotify , AdminNotify parameters as follows:

`SenderNotify = no`

`AdminNotify = no`

After that restart Odin Premium Antivirus and mail service.

Have more questions? Submit a request
Please sign in to leave a comment.