Knowledge Base

Emails with valid archived files in attachement are blocked by `drwebd` service

Symptoms

Emails with valid archived files in attachments are blocked by drwebd service:

A message with the following attributes was not delivered because it contains an object which violates archive restrictions and cannot be checked by antivirus filter.
Relaying such messages is blocked by administrator.
A similar message can be found in the antivirus report and in the sender's mailbox:

--- Antivirus report ---
Detailed report:
127.0.0.1 [26365] drweb.tmp.g2tuDx - archive MAIL
127.0.0.1 [26365] >drweb.tmp.g2tuDx/4.part - Ok
127.0.0.1 [26365] >drweb.tmp.g2tuDx/6.part - archive RAR
127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Greenacc hrms bk 16-12-2015.bak - Ok
127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Greenerp 16-12-2015.bak - Ok
127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+GreenHrms-Green 16-12-2015.bak - Ok
127.0.0.1 [26365] >drweb.tmp.g2tuDx/6.part - Ok
127.0.0.1 [26365] >drweb.tmp.g2tuDx/7.part - archive RAR
127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps16-12-2015ece.bak - Ok
127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps16-12-2015erp.bak - Ok
127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps16-12-2015hrms.bak - file too large skipped
127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps16-12-2015ies.bak - Ok
127.0.0.1 [26365] >drweb.tmp.g2tuDx/7.part - Ok
127.0.0.1 [26365] >drweb.tmp.g2tuDx/8.part - Ok
127.0.0.1 [26365] >drweb.tmp.g2tuDx/9.reexport - Ok
127.0.0.1 [26365] drweb.tmp.g2tuDx - Ok

Scanning statistic:
Archive restriction : 1
The Switch on antivirus protection for this email address option is enabled and Check for viruses is set to Incoming and outgoing mail in Domains > example.com > Email Addresses > [email protected] > Antivirus.
A similar error is present in /var/log/messages:

drwebd.real: 127.0.0.1 [18812] >>>/var/spool/drweb/spool/drweb.tmp.qFHUZK/4.part/file.exe - - timeout!

Cause

The issue caused by insufficient values of MaxFileSizeToExtract and FileTimeout parameters of Plesk Premium Antivirus package.

Resolution

Increase maximum archive sizes and timeouts:

Note: Too high values might cause Denial of Service (DoS) attacks possible by consuming too much server resources.
1. Connect to the server via SSH
2. Edit file /etc/drweb/drweb_handler.conf by setting ArchiveRestriction as follows:
  
  ArchiveRestriction = pass
3. Edit file /etc/drweb/drweb32.ini and increase the value for the parameters FileTimeout and MaxFileSizeToExtract:
  
  FileTimeout = 60
  MaxFileSizeToExtract = 100000
  
  Note: Value of the MaxFileSizeToExtract variable can be changed as desired
4. Restart Plesk Premium Antivirus in Tools & Settings > Services Management to apply changes.

Disable antivirus notifications completely:
1. Connect to the server via SSH
2. Edit file /etc/drweb/drweb_handler.conf and disable SenderNotify and AdminNotify for ArchiveRestrictionNotifications:
  
  [ArchiveRestrictionNotifications]
  SenderNotify = no
  AdminNotify = no
3. Restart Plesk Premium Antivirus and SMTP Server in Tools & Settings > Services Management to apply changes.

Exploring Plesk’s Added Value Solutions So Far in 2023

Unveiling Sitejet Builder: The Perfect Match for Your Effortless Website Creation Needs

Dynamic List vs. Active List: A Comprehensive Comparison – Unveiling the Ultimate Winner!

Knowledge Base

Mail delivery does not work: do not list domain in BOTH mydestination and virtual_mailbox_domains

Email header analysis reports SPF failed for localhost IP on mail sent from Plesk hosted mailbox: SPF Authentication : SPF Failed for IP – 127.0.0.1

Websites on Plesk server are slow or show error 500 or PHP mail cannot be sent: ap_pass_brigade failed

Unable to send mail from Plesk server: deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)

Hosting Wiki