Knowledge Base

Emails with valid archived files in attachement are blocked by `drwebd` service

 
antivirusdomainsemailmailmailbox

Symptoms

  • Emails with valid archived files in attachments are blocked by drwebd service:

    A message with the following attributes was not delivered because it contains an object which violates archive restrictions and cannot be checked by antivirus filter.
    Relaying such messages is blocked by administrator.

  • A similar message can be found in the antivirus report and in the sender's mailbox:

    --- Antivirus report ---
    Detailed report:
    127.0.0.1 [26365] drweb.tmp.g2tuDx - archive MAIL
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/4.part - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/6.part - archive RAR
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Greenacc hrms bk 16-12-2015.bak - Ok
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Greenerp 16-12-2015.bak - Ok
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+GreenHrms-Green 16-12-2015.bak - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/6.part - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/7.part - archive RAR
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps16-12-2015ece.bak - Ok
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps16-12-2015erp.bak - Ok
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps16-12-2015hrms.bak - file too large skipped
    127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps16-12-2015ies.bak - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/7.part - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/8.part - Ok
    127.0.0.1 [26365] >drweb.tmp.g2tuDx/9.reexport - Ok
    127.0.0.1 [26365] drweb.tmp.g2tuDx - Ok

    Scanning statistic:
    Archive restriction : 1

  • The Switch on antivirus protection for this email address option is enabled and Check for viruses is set to Incoming and outgoing mail in Domains > example.com > Email Addresses > [email protected] > Antivirus.

  • A similar error is present in /var/log/messages:

    drwebd.real: 127.0.0.1 [18812] >>>/var/spool/drweb/spool/drweb.tmp.qFHUZK/4.part/file.exe - - timeout!

Cause

The issue caused by insufficient values of MaxFileSizeToExtract and FileTimeout parameters of Plesk Premium Antivirus package.

Resolution

  • Increase maximum archive sizes and timeouts:

    Note: Too high values might cause Denial of Service (DoS) attacks possible by consuming too much server resources.

    1. Connect to the server via SSH

    2. Edit file /etc/drweb/drweb_handler.conf by setting ArchiveRestriction as follows:

      ArchiveRestriction = pass

    3. Edit file /etc/drweb/drweb32.ini and increase the value for the parameters FileTimeout and MaxFileSizeToExtract:

      FileTimeout = 60
      MaxFileSizeToExtract = 100000

      Note: Value of the MaxFileSizeToExtract variable can be changed as desired

    4. Restart Plesk Premium Antivirus in Tools & Settings > Services Management to apply changes.

 

  • Disable antivirus notifications completely:

    1. Connect to the server via SSH

    2. Edit file /etc/drweb/drweb_handler.conf and disable SenderNotify and AdminNotify for ArchiveRestrictionNotifications:

      [ArchiveRestrictionNotifications]
      SenderNotify = no
      AdminNotify = no

    3. Restart Plesk Premium Antivirus and SMTP Server in Tools & Settings > Services Management to apply changes.

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

© 2024 WebPros International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of WebPros International GmbH.

Managed with love with Plesk WP Toolkit