ClamAv virus whitelist
ClamAv virus whitelist
Hi,
We are getting a message with signature: MBL_575906.UNOFFICIAL which does not have a virus in it, its a wrong detection.
How does one stop EFA from blocking such message?
I tried https://www.clamav.net/documents/how-do ... -signature but it cause messages to start looping in and out of the EFA server.
thanks
W
We are getting a message with signature: MBL_575906.UNOFFICIAL which does not have a virus in it, its a wrong detection.
How does one stop EFA from blocking such message?
I tried https://www.clamav.net/documents/how-do ... -signature but it cause messages to start looping in and out of the EFA server.
thanks
W
-
- Posts: 5
- Joined: 10 Jan 2017 17:52
Re: ClamAv virus whitelist
I'm having the same issue. I wonder is there a way to set the virus flagged emails to be released like the other spam flagged emails?
Somebody Help us!
Somebody Help us!
Re: ClamAv virus whitelist
anyone can help please?
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: ClamAv virus whitelist
Code: Select all
echo "MBL_575906.UNOFFICIAL" | sudo tee /var/lib/clamav/whitelist.ign2
sudo service clamd restart
Re: ClamAv virus whitelist
Does not work, i tried that in the first place. This cause the same message to be received over and over again (without virus warning).echo "MBL_575906.UNOFFICIAL" | sudo tee /var/lib/clamav/whitelist.ign2
sudo service clamd restart
It happens after creating the whitelist.ign2 file and rebooting (just restarting the clam daemon does not solve the detection at all - only rebooting).
So to be clear - doing what you suggested did not solve the issue (the email still gets flaged as virus). Once i reboot, the message is not shown as virus, but keeps on appearing over and over again in "recent messages" and does not get delivered to our mail server.
thanks for any help.
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: ClamAv virus whitelist
So, it sounds like clamd is failing after the addition of the whitelist.
What you are describing is a loop, most likely because clamd didn't start. Anything in the system log to indicate why this is happening?
What you are describing is a loop, most likely because clamd didn't start. Anything in the system log to indicate why this is happening?
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: ClamAv virus whitelist
testing a system now...
Re: ClamAv virus whitelist
hey guys,
any update on this? when we edit the whitelist.ign2 and restart our efa is very unhappy about this
mails are still getting through but within mailwatch without any spam/virus check.
after deleting the new entries in whitelist.ign2 we rebooted the box and everything was fine again...
BR
any update on this? when we edit the whitelist.ign2 and restart our efa is very unhappy about this
mails are still getting through but within mailwatch without any spam/virus check.
after deleting the new entries in whitelist.ign2 we rebooted the box and everything was fine again...
BR
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: ClamAv virus whitelist
I tested this, and I am having no issues. So, I am wondering maybe if you have a permissions issue.
What if you set whitelist.ign2 user and group to clam?
What if you set whitelist.ign2 user and group to clam?
Re: ClamAv virus whitelist
Those files are on the system
what about the .sig files - I think i need to generate a checksum so clamav does not think he is getting hacked it's whitelist?
br
Code: Select all
-rw-r--r-- 1 root root 6.6K Oct 6 2016 /usr/unofficial-dbs/ss-dbs/sigwhitelist.ign2
-rw-r--r-- 1 root root 27 Mar 30 20:13 /var/lib/clamav/pit-whitelist.ign2
-rw-r--r-- 1 clam clam 7.3K Apr 6 12:01 /var/lib/clamav-unofficial-sigs/dbs-ss/sigwhitelist.ign2
br
Re: ClamAv virus whitelist
update from my side:
was only the file rights, after a simple
chown clam.clam *.ign2
did the trick
was only the file rights, after a simple
chown clam.clam *.ign2
did the trick
Re: ClamAv virus whitelist
Thanks for the follow up.
Re: ClamAv virus whitelist
hey guys,
after new year I get a lot of false pozitives from ClamAV with this signature "MBL_22685397.UNOFFICIAL".
I put this in whitelist.ign2 as you sugested:
echo "MBL_22685397.UNOFFICIAL" | sudo tee /var/lib/clamav/whitelist.ign2
I also change permissions to file:
chown clam:clam /var/lib/clamav/whitelist.ign2
and restart service:
sudo service clamd restart
I also try to restart whole server, but mails are still reported (false pozitive) as "Virus (MBL_22685397.UNOFFICIAL)" and deleted.
Please help. I'm puling my hair here ...
after new year I get a lot of false pozitives from ClamAV with this signature "MBL_22685397.UNOFFICIAL".
I put this in whitelist.ign2 as you sugested:
echo "MBL_22685397.UNOFFICIAL" | sudo tee /var/lib/clamav/whitelist.ign2
I also change permissions to file:
chown clam:clam /var/lib/clamav/whitelist.ign2
and restart service:
sudo service clamd restart
I also try to restart whole server, but mails are still reported (false pozitive) as "Virus (MBL_22685397.UNOFFICIAL)" and deleted.
Please help. I'm puling my hair here ...
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: ClamAv virus whitelist
It might be the location of your whitelist that is a problem. Are the unofficial sigs in the same directory as your whitelist?
Re: ClamAv virus whitelist
Yes, you are right ...
I found this to correctly whitelist MBL.x signatures ...
you run:
/usr/bin/clamav-unofficial-sigs.sh -w
and you get:
################################################################################
eXtremeSHOK.com ClamAV Unofficial Signature Updater
Version: v5.6.2 (2017-03-19)
Required Configuration Version: v72
Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
################################################################################
=======================================================
Loading config: /etc/clamav-unofficial-sigs/master.conf
=======================================================
===================================================
Loading config: /etc/clamav-unofficial-sigs/os.conf
===================================================
=====================================================
Loading config: /etc/clamav-unofficial-sigs/user.conf
=====================================================
Input a third-party signature name that you wish to whitelist due to false-positives
and press enter (do not include '.UNOFFICIAL' in the signature name nor add quote
marks to the input string):
you paste signature that you like to whitelist without ".UNOFFICIAL" ...
MBL_22685397
and get answer:
=======================================================
No updates detected, ClamAV databases were not reloaded
=======================================================
Signature 'MBL_22685397' has been added to my-whitelist.ign2 and
all databases have been reloaded. The script will track any changes
to the offending signature and will automatically remove it if the
signature is modified or removed from the third-party database.
The /usr/bin/clamav-unofficial-sigs.sh -w script create two new files.
/var/lib/clamav/my-whitelist.ign2
/var/lib/clamav-unofficial-sigs/configs/my-whitelist.ign2
and inside is new signiture that is whitelisted. If you have more signitures to add just run again this command "/usr/bin/clamav-unofficial-sigs.sh -w"
This is it. Thanks to put me in right direction.
I found this to correctly whitelist MBL.x signatures ...
you run:
/usr/bin/clamav-unofficial-sigs.sh -w
and you get:
################################################################################
eXtremeSHOK.com ClamAV Unofficial Signature Updater
Version: v5.6.2 (2017-03-19)
Required Configuration Version: v72
Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
################################################################################
=======================================================
Loading config: /etc/clamav-unofficial-sigs/master.conf
=======================================================
===================================================
Loading config: /etc/clamav-unofficial-sigs/os.conf
===================================================
=====================================================
Loading config: /etc/clamav-unofficial-sigs/user.conf
=====================================================
Input a third-party signature name that you wish to whitelist due to false-positives
and press enter (do not include '.UNOFFICIAL' in the signature name nor add quote
marks to the input string):
you paste signature that you like to whitelist without ".UNOFFICIAL" ...
MBL_22685397
and get answer:
=======================================================
No updates detected, ClamAV databases were not reloaded
=======================================================
Signature 'MBL_22685397' has been added to my-whitelist.ign2 and
all databases have been reloaded. The script will track any changes
to the offending signature and will automatically remove it if the
signature is modified or removed from the third-party database.
The /usr/bin/clamav-unofficial-sigs.sh -w script create two new files.
/var/lib/clamav/my-whitelist.ign2
/var/lib/clamav-unofficial-sigs/configs/my-whitelist.ign2
and inside is new signiture that is whitelisted. If you have more signitures to add just run again this command "/usr/bin/clamav-unofficial-sigs.sh -w"
This is it. Thanks to put me in right direction.