Emails with valid archived files in attachement are blocked by `drwebd` service

Symptoms

• Emails with valid archived files in attachments are blocked by drwebd service.

• A similar message can be found in the antivirus report and in the sender's mailbox:

  --- Antivirus report ---
   Detailed report:
   127.0.0.1 [26365] drweb.tmp.g2tuDx - archive MAIL
   127.0.0.1 [26365] >drweb.tmp.g2tuDx/4.part - Ok
   127.0.0.1 [26365] >drweb.tmp.g2tuDx/6.part - archive RAR
   127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Greenacc hrms bk 16-12-2015.bak - Ok
   127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+Greenerp 16-12-2015.bak - Ok
   127.0.0.1 [26365] >>drweb.tmp.g2tuDx/6.part/16-12-2015 Acc+GreenHrms-Green 16-12-2015.bak - Ok
   127.0.0.1 [26365] >drweb.tmp.g2tuDx/6.part - Ok
   127.0.0.1 [26365] >drweb.tmp.g2tuDx/7.part - archive RAR
   127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps16-12-2015ece.bak - Ok
   127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps16-12-2015erp.bak - Ok
   127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps16-12-2015hrms.bak - file too large skipped
   127.0.0.1 [26365] >>drweb.tmp.g2tuDx/7.part/16-12-2015 Meps16-12-2015ies.bak - Ok
   127.0.0.1 [26365] >drweb.tmp.g2tuDx/7.part - Ok
   127.0.0.1 [26365] >drweb.tmp.g2tuDx/8.part - Ok
   127.0.0.1 [26365] >drweb.tmp.g2tuDx/9.reexport - Ok
   127.0.0.1 [26365] drweb.tmp.g2tuDx - Ok
   
   Scanning statistic:
   Archive restriction : 1

• The Switch on antivirus protection for this email address option is enabled and Check for viruses is set to Incoming and outgoing mail in Domains > example.com > Email Addresses > [email protected] > Antivirus.

• A similar error is present in /var/log/messages:

  drwebd.real: 127.0.0.1 [18812] >>>/var/spool/drweb/spool/drweb.tmp.qFHUZK/4.part/file.exe - - timeout!

Cause

The issue caused by insufficient values of MaxFileSizeToExtract and FileTimeout parameters of Plesk Premium Antivirus package.

Resolution

• Increase maximum archive sizes and timeouts:

  Note: Too high values might cause Denial of Service (DoS) attacks possible by consuming too much server resources.

  1. Connect to the server via SSH

  2. Edit file /etc/drweb/drweb_handler.conf by setting ArchiveRestriction as follows:

     ArchiveRestriction = pass

  3. Edit file /etc/drweb/drweb32.ini and increase the value for the parameters FileTimeout and MaxFileSizeToExtract:

     FileTimeout = 60
      MaxFileSizeToExtract = 100000

     Note: Value of the MaxFileSizeToExtract variable can be changed as desired

  4. Restart Plesk Premium Antivirus in Tools & Settings > Services Management to apply changes.

• Disable antivirus notifications completely:

  1. Connect to the server via SSH

  2. Edit file /etc/drweb/drweb_handler.conf and disable SenderNotify and AdminNotify for ArchiveRestrictionNotifications:

     [ArchiveRestrictionNotifications]
      SenderNotify = no
      AdminNotify = no

  3. Restart Plesk Premium Antivirus and SMTP Server in Tools & Settings > Services Management to apply changes.