Plesk & DrWeb: “read error” on e-mails being scannedMattias Geniar, Monday, December 19, 2011 - last modified: Sunday, February 19, 2012
If you're running DrWeb32 anti-virus in combination with Plesk, you may have noticed a lot of "read error" messages since the last few days. In your maillogs, it could look like this.
Dec 19 06:00:07 server qmail-queue: scan: the message(drweb.tmp.hdrl8i) sent by to firstname.lastname@example.org daemon return error (read error, after scanning/curing composite object is clean) -- possible problem with daemon or file
The mails received contain content like this.
Antivirus filter report:
--- Antivirus report ---
127.0.0.1  drweb.tmp.0Ugml7 -- archive MAIL
127.0.0.1  drweb.tmp.0Ugml7/[text:plain] -- Ok
127.0.0.1  drweb.tmp.0Ugml7/test.zip -- archive ZIP
127.0.0.1  >drweb.tmp.0Ugml7/test.zip/test.txt -- Ok
127.0.0.1  >drweb.tmp.0Ugml7/test.zip/ -- read error!
Official fix by Parallels
Update: Parallels has released an official KB with a resolution: http://kb.parallels.com/en/113018. If that does not work, you can try the steps below -- but they should be obsolete.
Workaround without Parallels
Only try the steps below if the above KB doesn't resolve your issue.
A quick fix for now is to change the way DrWeb handles the files that contain scanning errors or processing errors. Edit the file /etc/drweb/drweb_handler.conf and search the following.
ScanningErrors = quarantine ProcessingErrors = reject
And change it to the following.
ScanningErrors = pass ProcessingErrors = pass
And restart DrWeb.
~# /etc/init.d/drwebd restart
The problem is caused by an update that was pushed automatically on December 15th. It will be resolved as soon as Parallels has a fix for this, after that the fix is also applied automatically as DrWeb loads it's updates.
# grep -Pi 'drweb' /etc/cron* -R /etc/cron.d/drweb-update:*/30 * * * * drweb /opt/drweb/update.pl
In this case, every 30 minutes the update is being checked.