Plesk & DrWeb: “read error” on e-mails being scanned

Author: No comments

If you're running DrWeb32 anti-virus in combination with Plesk, you may have noticed a lot of "read error" messages since the last few days. In your maillogs, it could look like this.

Dec 19 06:00:07 server qmail-queue[9434]: scan: the message(drweb.tmp.hdrl8i) sent by  to daemon return error (read error, after scanning/curing composite object is clean) -- possible problem with daemon or file

The mails received contain content like this.

Antivirus filter report:
--- Antivirus report ---
Detailed report: [1636] drweb.tmp.0Ugml7 -- archive MAIL [1636] drweb.tmp.0Ugml7/[text:plain] -- Ok [1636] drweb.tmp.0Ugml7/ -- archive ZIP [1636] >drweb.tmp.0Ugml7/ -- Ok [1636] >drweb.tmp.0Ugml7/ -- read error!

Official fix by Parallels

Update: Parallels has released an official KB with a resolution: If that does not work, you can try the steps below -- but they should be obsolete.

Workaround without Parallels

Only try the steps below if the above KB doesn't resolve your issue.

A quick fix for now is to change the way DrWeb handles the files that contain scanning errors or processing errors. Edit the file /etc/drweb/drweb_handler.conf and search the following.

ScanningErrors = quarantine
ProcessingErrors = reject

And change it to the following.

ScanningErrors = pass
ProcessingErrors = pass

And restart DrWeb.

~# /etc/init.d/drwebd restart

The problem is caused by an update that was pushed automatically on December 15th. It will be resolved as soon as Parallels has a fix for this, after that the fix is also applied automatically as DrWeb loads it's updates.

# grep -Pi 'drweb' /etc/cron* -R
/etc/cron.d/drweb-update:*/30 * * * * drweb /opt/drweb/

In this case, every 30 minutes the update is being checked.

Add Your Comment