ClamAV Scan MailboxStore

ClamAV Scan MailboxStore

   KB 15973        Last updated on 2015-07-11  

(0 votes)


Sites that need to rescan for zero-day exploits that may have evaded ClamAV can scan and remove the e-mails after the fact (manually or through a cron job). This allows for e-mails to be removed from user's mailboxes even after they may have gone through. This could be useful during after-hours, on weekends, or just to ensure and lower the chances that someone does not inadvertently later open a malicious e-mail.


To setup clamd scanning on-demand, create a subdirectory underneath /opt/zimbra/ (for example, mine is /opt/zimbra/ryan) and run the following commands as the zimbra user (as root: su - zimbra)


(NOTE: You may also use a text editor of your choice)

Now, insert the following "code" into the file:



echo "Scanning Mail Store for Viruses"

~/clamav/bin/clamscan --database ~/data/clamav/db/ --recursive=yes --infected ~/store/0/ | while IFS=/ read root opt zimbra store messagestore storeid msg folder messageid virusname found
  uid=`mysql -NBe "select comment from zimbra.mailbox where id='$storeid'"`
  msgid=`echo $messageid | cut -d'-' -f1`
  if [[ "$uid" == *.archive ]]; then
        echo "Archive: Did not remove message $msgid from $uid"
  elif [[ "$uid" == *virus*quarantine* ]]; then
        echo "Skipping message $msgid in virus quarantine"
        zmmailbox -z -m $uid dm $msgid
        echo "Found and removed infected message $msgid from $uid"


Save the file and run chmod +x The file is now ready for execution.


In order to run the file, you would simply run it as you would any other shell script or binary file (do this as the zimbra user) either going to the directory and ./ or by using the entire path.

NOTE: You can also set this to run in a cron job at intervals of your choosing. My only suggestion is to let each execution completely finish before starting a new one.

In any case, the application will echo to your terminal that it is executing. It will then scan and remove the viruses automatically except for the virus-quarantine account and accounts ending in .archive (if you use a different naming convention, please change it in the code above.

This script is not meant to be glamorous or extremely efficient. Instead, it is functional. If you have suggestions to this, please do so! The better it is, the better it will be for everyone to enjoy :).

Verified Against: ZCS 7.1.x and prior Date Created: 03/19/2012
Article ID: Date Modified: 2015-07-11

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search